Investigating active exploitation of CVE-2025-10035 GoAnywhere Managed File Transfer vulnerability

MITRE Techniques

• [T1521 ] Resource Hijacking – Attackers abused the GoAnywhere License Servlet deserialization to execute attacker-controlled objects, enabling command injection and RCE (“bypass signature verification by crafting a forged license response signature, which then allows the deserialization of arbitrary, attacker-controlled objects”).
• [T1204 ] User Execution – Creation and likely use of .jsp web shells within GoAnywhere MFT directories to execute commands (“creation of .jsp files within the GoAnywhere MFT directories was observed”).
• [T1078 ] Valid Accounts – Use of remote monitoring and management (RMM) tools like SimpleHelp and MeshAgent to maintain persistence and remote access (“They abused remote monitoring and management (RMM) tools, specifically SimpleHelp and MeshAgent. They dropped the RMM binaries directly under the GoAnywhere MFT process”).
• [T1018 ] Remote System Discovery – Deployment of tools such as netscan for network discovery to identify further targets (“They deployed tools like netscan for network discovery”).
• [T1021 ] Remote Services – Lateral movement via mstsc.exe to move across systems in the compromised network (“Lateral movement was achieved using mstsc.exe, allowing the threat actor to move across systems”).
• [T1090 ] Proxy/Tunneling – Setup of a Cloudflare tunnel for secure command-and-control communication (“even set up a Cloudflare tunnel for secure C2 communication”).
• [T1048 ] Exfiltration Over Alternative Protocol – Use of Rclone for data exfiltration from at least one victim environment (“During the exfiltration stage, the deployment and execution of Rclone was observed in at least one victim environment”).
• [T1486 ] Data Encrypted for Impact – Deployment of Medusa ransomware as the final action on objectives in one compromised environment (“Ultimately, in one compromised environment, the successful deployment of Medusa ransomware was observed”).