Critical GoAnywhere Vulnerability Exploited in Medusa Ransomware Attacks
A critical vulnerability in Fortra’s GoAnywhere MFT secure web-based file transfer tool is being actively exploited in Medusa ransomware attacks. According to Microsoft’s Threat Intelligence Team, the vulnerability is being exploited by a threat group it tracks as Storm-1175, which is known for deploying Medusa ransomware after exploiting vulnerabilities in public-facing applications.
The zero-day deserialization vulnerability is tracked as CVE-2025-10035 and has a maximum CVSS base score of 10. According to Fortra, a threat actor with a validly forged license response signature could deserialize an arbitrary actor-controlled object. Successful exploitation of the flaw can result in command injection without authorization, which can potentially lead to remote code execution. Fortra issued a security advisory about the flaw on September 18, 2025, and explained that the vulnerability affects the GoAnywhere MFT’s License Servlet Admin Console version 7.8.3 and prior versions. The vulnerability has been fixed in version 7.8.4 and the Sustain release 7.6.3.
Microsoft detected attacks exploiting the vulnerability at multiple organizations on September 11, 2025, although the threat intelligence company watchTowr believes that attacks started on September 10, 2025, more than a week before Fortra issued its security alert. Microsoft has observed Storm-1175 dropping remote monitoring and management (RMM) tools such as SimpleHelp and MeshAgent for persistence, and in some cases, creating .jsp files within GoAnywhere MFT directories.
The group establishes persistence, sets up secure C2 communications, and deploys additional tools and malware payloads to facilitate network discovery and lateral movement. The latter is achieved using mstsc.exe. The group identifies and exfiltrates sensitive data and has used Rclone for data exfiltration in at least one attack. After data exfiltration, the group deploys Medusa ransomware to encrypt files.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
All users are advised to immediately ensure that the GoAnywhere Admin Console is not exposed to the Internet and to update GoAnywhere to the latest version. Since the vulnerability has been exploited since at least September 11, 2025, patching alone is not sufficient. After updating the software, users should investigate for signs of compromise. “Customers are advised to monitor their Admin Audit logs for suspicious activity and the log files for errors containing SignedObject.getObject: If this string is present in an exception stack trace (similar to the following), then the instance was likely affected by this vulnerability,” explained Fortra in its security alert.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerability Catalog on September 29, 2025, and requires all federal civilian agencies to implement Fortra’s mitigations by October 20, 2025.
