Fortra GoAnywhere MFT is a secure managed file transfer (MFT) solution that automates and protects data exchange within and between organizations.

Storm-1175 (tracked by Microsoft Threat Intelligence) is seen actively exploiting CVE-2025-10035 in Fortra GoAnywhere MFT.

CVE-2025-10035 is a deserialization vulnerability in the License Servlet component of Fortra’s GoAnywhere MFT.

An unauthenticated attacker could send a crafted (forged) license response to the License Servlet and trigger unsafe Java deserialization that leads to command execution/RCE.

The following versions of Fortra GoAnywhere MFT are vulnerable to CVE-2025-10035:

• Version < 7.63
• 7.7.0 ≤ Version < 7.84

CVE-2025-10035 (https://nvd.nist.gov/vuln/detail/CVE-2025-10035)

NDR Cloud Detection Rule

N/A

Threat Hunting

FortiNDR Cloud users can use the following IOCs from Fortinet to hunt for "Fortra GoAnywhere MFT Attack" related activities.

IOC source: https://www.fortiguard.com/outbreak-ioc?tag=GoAnywhere%20MFT%20Attack

All IOCs relating to "Fortra GoAnywhere MFT Attack" have been added to Threat Intelligence Intel.

Suricata Coverage

Customers can create custom investigation/detections using the Suricata signatures below:

2064920 -> ET WEB_SPECIFIC_APPS Fortra GoAnywhere MFT Authentication Bypass via License Servlet (CVE-2025-10035)

2064921 -> ET WEB_SPECIFIC_APPS Fortra GoAnywhere MFT Response Valid License Request Token Disclosure

2064922 -> ET HUNTING Fortra GoAnywhere MFT Insecure Deserialization via License Servlet (CVE-2025-10035)

Other Fortinet Products

For more details regarding mitigating the vulnerability by utilizing Fortinet products, please refer to:

https://www.fortiguard.com/outbreak-alert/goanywhere-mft-attack