Date: 10/08/2025
Severity: High
Summary
On September 18, 2025, a critical vulnerability (CVE-2025-10035, CVSS 10.0) was disclosed in GoAnywhere MFT's License Servlet, affecting versions up to 7.8.3. The flaw allows attackers to bypass signature verification and deserialize arbitrary objects, potentially leading to command injection and remote code execution. Microsoft identified the threat group Storm-1175 exploiting this vulnerability, known for deploying Medusa ransomware. The attack requires a forged license response but can be unauthenticated if crafted or intercepted successfully. This makes the vulnerability especially dangerous for publicly exposed systems.
Indicators of Compromise (IOC) List
IP Address : | 31.220.45.120 45.11.183.123 213.183.63.41 |
Hash : | 4106c35ff46bb6f2f4a42d63a2b8a619f1e1df72414122ddf6fd1b1a644b3220
c7e2632702d0e22598b90ea226d3cde4830455d9232bd8b33ebcb13827e99bc3
cd5aa589873d777c6e919c4438afe8bceccad6bbe57739e2ccb70b39aee1e8b3
5ba7de7d5115789b952d9b1c6cff440c9128f438de933ff9044a68fff8496d19
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | dstipaddress IN ("31.220.45.120","45.11.183.123","213.183.63.41") or srcipaddress IN ("31.220.45.120","45.11.183.123","213.183.63.41") |
Detection Query 2 : | sha256hash IN ("4106c35ff46bb6f2f4a42d63a2b8a619f1e1df72414122ddf6fd1b1a644b3220","c7e2632702d0e22598b90ea226d3cde4830455d9232bd8b33ebcb13827e99bc3","cd5aa589873d777c6e919c4438afe8bceccad6bbe57739e2ccb70b39aee1e8b3","5ba7de7d5115789b952d9b1c6cff440c9128f438de933ff9044a68fff8496d19")
|
Reference:
https://www.microsoft.com/en-us/security/blog/2025/10/06/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability/