When Microsoft confirmed that Storm-1175 has been actively exploiting CVE-2025-10035 in GoAnywhere Managed File Transfer (MFT) systems, it revealed more than just another ransomware campaign—it exposed a critical flaw in how organizations manage supply chain security. This isn’t only about vulnerable software. It’s about the invisible architecture connecting thousands of businesses through file transfer systems, which have become one of the most dangerous single points of failure in today’s digital supply chains.
Cascading Risk in Supply Chains
Consider the mathematics of cascading risk. The Shadowserver Foundation tracks over 500 GoAnywhere instances exposed online. According to a recent Kiteworks report, organizations in the “danger zone” typically manage between 1,001 and 5,000 third-party connections through their MFT platforms. Average breach costs range from $3 to $5 million per incident. That means a single compromised system can jeopardize hundreds or thousands of connected partners. Storm-1175 began exploiting this zero-day vulnerability on September 10—eight days before public disclosure—allowing contamination to spread silently through trusted business relationships while security teams remained unaware.
MFT as Supply Chain Infrastructure
Managed file transfer systems occupy a unique and precarious position in business architecture. Unlike internal applications, MFT platforms bridge different companies, security domains, and networks, facilitating bidirectional exchanges of sensitive data. When your accounting firm sends payroll data, when a manufacturer receives design specifications, or when a healthcare provider exchanges patient records, these transactions often flow through MFT infrastructure.
This creates what security researchers call the “trust multiplier problem.” Your vendor’s MFT vulnerability instantly becomes your exposure, yet you typically have no visibility into their security posture. Kiteworks’ survey shows that while 72% of organizations claim to evaluate vendor security, these assessments are often one-off compliance checks rather than continuous monitoring. Vendor questionnaires capture snapshots, not real-time vulnerability status. You cannot detect when Partner X is compromised until they disclose it—if they do. Transitive trust means Partner A trusts Partner B, Partner B trusts Partner C, but Partner A has no idea that Partner C is already breached.
CVE-2025-10035 illustrates this perfectly. Storm-1175 exploited a partner’s GoAnywhere installation, conducted reconnaissance of the partner’s file transfer relationships, and used legitimate file transfers to move laterally into connected networks. Because the sessions were authenticated, ransomware bypassed perimeter defenses and zero-trust controls.
Anatomy of a Supply Chain Attack
The timeline underscores the challenge. Between September 10 and 18, Storm-1175 conducted initial compromises across multiple supply chains while the vulnerability was unknown. Trusted business connections became infection vectors. Public disclosure on September 18 triggered a patch race, but watchTowr Labs confirmed exploitation only on September 26. Microsoft’s public statement arrived nearly a month after initial attacks began, meaning contamination likely spread for weeks.
Storm-1175 maps partner relationships, uses legitimate file transfers for delivery, maintains persistence with remote monitoring tools like SimpleHelp and MeshAgent, and deploys Medusa ransomware across multiple supply chains simultaneously. Supply chain attacks succeed because they bypass perimeter security, evade zero-trust controls, scale automatically, and extend dwell time due to delayed breach notifications.
The Medusa Example
Storm-1175’s Medusa ransomware has impacted over 300 critical infrastructure organizations, according to CISA and the FBI. The 2023 Clop ransomware attack exploiting GoAnywhere CVE-2023-0669 serves as a precedent: secondary infections propagated through file transfers as partners discovered contaminated files weeks later. Delayed notifications extended response timelines, allowing attackers to monetize access multiple times across interconnected victims. Today, the 500-plus exposed GoAnywhere instances represent 500 potential “patient zeros,” each linked to hundreds or thousands of partners. Organizations cannot secure themselves without accounting for partners’ MFT vulnerabilities.
Why Supply Chain MFT Attacks Succeed
Fundamental visibility gaps make these attacks effective. Half of organizations cannot accurately quantify third-party connections. Vendor risk programs run on quarterly or annual cycles, missing continuous changes in threat landscapes. Direct breach costs average $4.44 million, but supply chain breaches can cost two to three times more due to partner liabilities. Extended detection timelines exacerbate financial impacts: litigation costs alone exceed $5 million in 27% of cases when detection takes 31–90 days. Legacy MFT systems, designed for connectivity rather than segmentation, amplify these risks.
Defending Against Supply Chain MFT Attacks
Organizations must think beyond internal infrastructure. Immediate steps include:
- Verify all partners have patched vulnerable systems.
- Inspect partner file transfers from September 10 onward for indicators of compromise.
- Consider temporarily suspending high-risk partner connections until security posture is verified.
Architectural solutions can mitigate cascading risk:
- Micro-segmentation: Contain each partner connection in a separate security zone.
- Hardened virtual appliances: Reduce attack surfaces, limiting compromise severity.
- Embedded threat detection: Scan all partner file transfers as rigorously as internet traffic, using sandboxing, AI anomaly detection, and Content Disarm and Reconstruction (CDR).
- Zero-trust principles: Authenticate every session and transfer, enforce least privilege, and continuously verify trust.
Strategic Takeaways
Security leaders must ask hard questions: Can you enumerate all partner connections? Detect a partner’s compromise quickly? Isolate a compromised partner without disrupting others? Visibility, segmentation, and proactive monitoring are no longer optional—they are essential.
CVE-2025-10035 is more than a GoAnywhere flaw; it is a supply chain event with unknown scope. Your security is only as strong as your least-secure partner’s MFT system. With 500-plus exposed instances still vulnerable, the risk of ongoing supply chain contamination is real. Modern MFT platforms designed with supply chain security in mind offer a path forward, turning connectivity from a vulnerability into a competitive advantage.
Incremental fixes are insufficient. Organizations must embrace architectural reinvention: continuous verification, micro-segmented partner zones, and proactive resilience. Legacy MFT systems were not built for today’s threat landscape, and ransomware actors like Storm-1175 are exploiting that gap. The choice is clear: transform your approach to partner connectivity—or risk being the next victim in a cascading supply chain attack.
___
Frank Balonis is chief information security officer and senior VP of operations and support at Kiteworks, with more than 20 years of experience in IT support and services. Since joining Kiteworks in 2003, Frank has overseen technical support, customer success, corporate IT, security and compliance, collaborating with product and engineering teams. He holds a Certified Information Systems Security Professional (CISSP) certification and served in the U.S. Navy. He can be reached at [email protected].
Join our LinkedIn group Information Security Community!
