A newly discovered zero-day flaw in Fortraโs GoAnywhere Managed File Transfer (MFT) software has become the latest target for Medusa ransomware attackers, Microsoft confirmed this week.
The flaw, CVE-2025-10035, carries a maximum 10.0 CVSS score and stems from a deserialization weakness in GoAnywhere MFTโs License Servlet Admin Console versions up to 7.8.3. It allows attackers to remotely execute arbitrary code on unpatched servers โ even without authentication in some cases โ making it a prime target for ransomware operators.
According to Microsoft Threat Intelligence, a cybercrime group known as Storm-1175, a Medusa ransomware affiliate, began exploiting the flaw as early as September 11, 2025, nearly a week before vendor Fortra issued its patch on September 18, 2025.
Security researchers at WatchTowr Labs later confirmed that the flaw had been used as a zero-day, compromising several organizations before the patch was released.
โMicrosoft Defender researchers identified exploitation activity in multiple organizations aligned to tactics, techniques, and procedures (TTPs) attributed to Storm-1175,โ Microsoft said in its advisory while confirming WatchTowr Labs’ report.
Inside The Attack Chain (From Exploit To Encryption)
The exploitation campaign follows a familiar multi-stage pattern seen in previous Medusa operations:
- Initial Access โ Storm-1175 exploited the GoAnywhere deserialization flaw to break into corporate systems.
- Persistence โ The group installed remote monitoring and management (RMM) tools like SimpleHelp and MeshAgent to maintain control, often disguising them within GoAnywhereโs own process directories.
- Post-Exploitation โ The intruders deployedย .jspย filesย within the GoAnywhere MFT directories, ran network scans, and performed user and system reconnaissance.
- Network Discovery โ Attackers scanned networks using Netscan and conducted user reconnaissance.
- Lateral Movement โ Using Microsoftโs Remote Desktop Connection (exe), the attackers moved across systems within the compromised network.
- Command & Control (C2): Setting up a Cloudflare tunnel for secure C2 communication.
- Exfiltration โ Finally, they used Rclone to steal data before deploying Medusa ransomware, encrypting systems, and demanding payment.
In at least one confirmed case, Microsoft observed a full Medusa ransomware payload being deployed after the attackers had established control.
Fortra Under Fire
Security experts criticized Fortra for quietly issuing a patch on September 18, 2025, without warning users that the flaw was under active exploitation.
Benjamin Harris, CEO of WatchTowr Labs, said Microsoftโs findings “confirmed what we feared. Organizations running GoAnywhere MFT have effectively been under silent assault since at least September 11, with little clarity from Fortra.” He called for transparency, asking how attackers obtained the keys needed to exploit the flaw.
The Shadowserver Foundation reports that more than 500 GoAnywhere MFT instances remain exposed online, though itโs unclear how many have been patched.
What Users Should Do
Microsoft and Fortra are urging all customers to upgrade to the latest version immediately and review their systems for signs of compromise โ especially errors containing โSignedObject.getObjectโ in logs.
Microsoft also recommends:
- Restricting external access to GoAnywhere Admin Consoles.
- Running endpoint detection and response (EDR) tools in block mode.
- Enabling attack surface reduction rules to prevent ransomware tactics.
Fortra emphasized that while patching fixes the flaw, it doesnโt undo earlier breaches, urging organizations to conduct forensic reviews.
Bottom Line
Organizations using GoAnywhere MFT should patch immediately, lock down internet access, and check for any signs of compromise. The Medusa groupโs campaign is a stark reminder that even trusted enterprise tools can become gateways to large-scale ransomware attacks if not properly secured.
