Exploited trust: What GoAnywhere reveals about supply chain weak links

When Microsoft confirmed that the threat actor Storm-1175 has been actively exploiting CVE-2025-10035 in GoAnywhere MFT systems, the disclosure revealed far more than another ransomware incident. It exposed a deep flaw in how modern organizations structure, secure, and manage their digital supply chains. This wasn’t merely a software vulnerability. It was a signal that the connective tissue linking thousands of companies—the managed file transfer (MFT) systems that power everyday business exchanges—has become one of the most dangerous single points of failure in the enterprise ecosystem.

The Shadowserver Foundation is currently tracking more than 500 GoAnywhere instances still exposed to the internet. A recent Kiteworks report found that organizations in the MFT “danger zone” typically manage between 1,001 and 5,000 third-party connections, facing average breach costs between $3 million and $5 million per incident. Each compromised system therefore represents not one victim, but hundreds or thousands of potential exposures. And Storm-1175 began exploiting this vulnerability as a zero-day on September 10, eight days before public disclosure. During that silent window, malicious code spread invisibly through trusted supply chain channels while security teams remained unaware that their partners had become conduits for infection.

Managed file transfer platforms play an unglamorous but mission-critical role in global commerce. They are not just tools for moving data; they are cross-organizational bridges that facilitate payroll transfers, product design exchanges, and sensitive health information flows. Unlike internal applications confined within a single organization, MFT systems connect multiple companies, networks, and security domains. They are designed to share, not isolate—making them inherently difficult to defend.

This creates what researchers call the “trust multiplier problem.” Your vendor’s vulnerability becomes your exposure, yet you have no operational visibility into their systems. The Kiteworks MFT Security and Compliance Risk Survey found that while 72% of companies say they evaluate vendor security, most rely on static, point-in-time assessments rather than continuous monitoring. Vendor questionnaires provide compliance snapshots—not real-time status. So when Partner X is breached, you typically find out only if they tell you. And in a tightly connected ecosystem, that delay can be catastrophic.

Storm-1175’s exploitation of CVE-2025-10035 shows how supply chain contamination unfolds. The attackers compromise one partner’s GoAnywhere system through a deserialization flaw, perform reconnaissance to map that partner’s file transfer relationships, then move laterally into connected networks using legitimate transfer sessions. Because the activity occurs through authenticated and “trusted” connections, traditional security controls—including zero-trust frameworks—often allow the traffic through. The ransomware payload rides in on legitimate business data.

From September 10 to 18, attackers used this method to compromise multiple supply chains before public disclosure. By the time Microsoft and watchTowr Labs confirmed exploitation weeks later, many organizations had already exchanged contaminated files through legitimate channels—unknowingly spreading ransomware through their own business relationships. Storm-1175’s tactics mirror those seen in the 2023 Clop ransomware campaign exploiting GoAnywhere’s earlier CVE-2023-0669 vulnerability. That event showed how secondary infections propagate weeks later when partners open trusted—but poisoned—files. The lesson then remains painfully relevant today: your partners’ security lapses can become your next ransomware breach.

MFT-based supply chain attacks succeed because of visibility gaps and architectural fragility. Half of all organizations cannot accurately map their third-party connections, and most vendor-risk assessments occur on quarterly or annual cycles—hopelessly misaligned with the pace of modern exploitation. Disclosure delays compound the problem. Breach notifications often arrive 30–90 days after detection, if they arrive at all. By then, attackers have used legitimate partner channels to establish persistence across multiple networks.

Financial consequences escalate rapidly. IBM’s 2025 Cost of a Data Breach Report places the global average at $4.44 million, but supply chain-originating breaches cost two to three times more, due to contractual liabilities and multi-jurisdictional fines under GDPR, CCPA, and HIPAA. Legacy MFT architecture amplifies this impact. Designed for connectivity rather than containment, most platforms lack micro-segmentation or zero-trust boundaries between partner environments. A single compromised credential often grants access to the entire partner ecosystem. Meanwhile, security teams whitelist “trusted partner” traffic—creating blind spots that attackers intentionally exploit.

Responding to MFT exploitation requires collective action across partner ecosystems, not just internal patching. Organizations must verify not only that their own GoAnywhere or similar systems are secure, but that their partners have patched as well. Security teams should:

• Inspect file transfers dating back to September 10 for known Storm-1175 indicators of compromise (IOCs).
• Correlate logs for suspicious partner activity or unusual authentication patterns.
• Consider temporarily suspending high-risk connections until partners confirm patch status and a clean bill of health.

To break this cycle, organizations must move beyond reactive patching to architectural resilience. The goal is to make partner compromise containable—not contagious.

• Micro-segmentation between partners: Treat each partner connection as its own security zone. Compromise of Partner A should not allow lateral movement into Partner B’s data or systems.
• Hardened MFT appliances: Reduce attack surfaces by isolating file transfer functions in dedicated, locked-down virtual appliances. During the Log4Shell crisis, properly hardened systems reduced exploitability from CVSS 10 to 4.
• Continuous partner verification: Replace static credentials with dynamic trust models. Authenticate and authorize every session and every transfer—not just the initial partner handshake.
• Embedded threat controls: Apply content disarm and reconstruction (CDR), sandboxing, and AI-driven anomaly detection to all partner file transfers. Only 27% of firms currently do this, leaving wide openings for sophisticated malware.
• Zero-trust for B2B: Extend zero-trust principles to partner connections: verify explicitly, limit privileges, and continuously monitor. Assume partner compromise and design for containment.

For supply chain and procurement executives, this incident isn’t just a cybersecurity issue—it’s a business continuity and governance problem. Ask yourself:

• Do we know every partner connected to our file transfer systems?
• How quickly would we know if one was compromised?
• Can we isolate or reroute data flows without halting operations?
• Are our vendor contracts and SLAs updated to require rapid breach notification and continuous security monitoring?

CVE-2025-10035 represents more than a GoAnywhere flaw—it’s a systemic wake-up call. The 500-plus exposed MFT systems tracked today could each serve as a “patient zero,” connected to hundreds of downstream businesses. Your security posture is only as strong as your least-secure partner, and in many cases, you can’t even see that partner’s risk. The architectural decisions made today—segmentation, monitoring, visibility—will determine whether your digital supply chain becomes your greatest vulnerability or your competitive differentiator. Storm-1175 and similar threat actors are betting that organizations will remain complacent, relying on blind trust and outdated systems. Proving them wrong means moving from implicit trust to continuous verification, from monolithic architectures to micro-segmented ecosystems, and from reactive patching to proactive resilience.

Action steps for supply chain leaders

• Map all MFT dependencies: Identify every internal and external file transfer connection. Maintain a live inventory of who connects, how often, and with what data types.
• Demand partner transparency: Require partners to provide evidence of patching and compromise assessments after major vulnerabilities. Make continuous risk sharing contractual.
• Segment partner connections: Implement architectural controls preventing one partner’s compromise from cascading through your network.
• Deploy continuous threat scanning: Treat partner file transfers as untrusted until scanned with CDR, sandboxing, and anomaly detection tools.
• Update third-party risk policies: Move from annual compliance surveys to real-time monitoring. Use automation to detect changes in partner security posture.
• Practice joint incident response: Establish shared playbooks with key suppliers and customers to accelerate detection and containment across the ecosystem.
• Plan for partner failure: Assume a trusted partner will be compromised. Design systems and workflows that can isolate or replace them without disrupting business continuity.

Bottom line: GoAnywhere’s exploitation is not just another cybersecurity headline—it’s a mirror held up to the fragile trust model underlying modern supply chains. The organizations that treat this as an architectural turning point, not a one-off event, will be the ones still standing when the next MFT exploit hits.

About the author

Frank Balonis is chief information security officer and senior VP of operations and support at Kiteworks, with more than 20 years of experience in IT support and services. Since joining Kiteworks in 2003, Frank has overseen technical support, customer success, corporate IT, security and compliance, collaborating with product and engineering teams. He holds a Certified Information Systems Security Professional (CISSP) certification and served in the U.S. Navy. He can be reached at [email protected].

SC
MR