In September 2025, security researchers warned of CVE-2025-10035, a critical remote code execution flaw in Fortra’s GoAnywhere Managed File Transfer (MFT) platform. Rated CVSS 10.0, the vulnerability allows attackers to take full control of affected systems without authentication — a worst-case scenario for software trusted to handle sensitive enterprise data.
The flaw, disclosed by Fortra and subsequently added to the CISA Known Exploited Vulnerabilities (KEV) catalog, has already been exploited in the wild. Microsoft reported that the Medusa ransomware group (Storm-1175) used the vulnerability as an entry point into corporate networks, leading to data theft and large-scale encryption incidents. What began as a compromise of a file transfer service quickly escalated into full-scale breaches, highlighting how a single flaw in a trusted platform can ripple across an organization’s entire infrastructure.
The Trick Behind the Vulnerability
GoAnywhere MFT is an enterprise-grade solution that automates and manages file transfers between internal systems, partners, and cloud services. It is widely used by banks, healthcare providers, energy companies, and government agencies to protect sensitive data and simplify business-critical exchanges.
CVE-2025-10035 exploits the way GoAnywhere processes license activation requests. When the server receives what appears to be a legitimate license “bundle,” it automatically processes the data. An attacker can craft a forged activation file containing hidden instructions that the system executes silently, without user interaction, granting full control over the server.
Real-World Impact: From File Management to Full Compromise
The consequences of CVE-2025-10035 are significant. Microsoft Threat Intelligence confirmed that Storm-1175, a financially motivated group deploying Medusa ransomware, actively exploited this flaw, with at least one confirmed ransomware deployment.
GoAnywhere MFT often sits at the heart of an organization’s data flows, handling payroll, contracts, medical records, and other sensitive files. A single compromised server can serve as a launchpad for broader attacks. Exploiting this vulnerability allows attackers to steal or tamper with data, deploy ransomware, and move laterally into internal networks using credentials stored in the MFT system. Because these services often operate behind the scenes, breaches may go undetected until data is exfiltrated or encrypted. The combination of widespread deployment in high-value industries and the ability to execute commands without authentication makes this vulnerability a particularly attractive target for financially motivated cybercriminals.
Takeaway: Trust Is Not a Security Boundary
The GoAnywhere incident underscores a critical reality: even trusted enterprise tools can become attackers’ easiest entry points. Attackers deliberately target these systems because of their privileged access and the sensitive data they handle.
Key lessons for security teams:
- Never assume “secure” platforms are immune to exploitation.
- Limit public exposure to administrative interfaces.
- Patch quickly and continuously monitor for unusual activity.
- Treat file transfer servers as high-risk assets, on par with domain controllers and identity systems, as they often hold the keys to your most valuable data.
RidgeBot Detection and Exploitation Simulation
In today’s threat landscape, vulnerabilities like CVE‑2025-10035 show how quickly a trusted file transfer service can be exploited. RidgeBot automated penetration testing helps security teams identify and assess these risks before attackers can strike.
By simulating real-world attack paths, RidgeBot uncovers vulnerable GoAnywhere MFT instances, confirms vulnerability, and provides actionable remediation guidance—all in hours instead of weeks. Powered by threat intelligence and AI-driven analysis, RidgeBot gives teams the visibility and confidence to proactively protect sensitive data and prevent ransomware or data breaches.