Attackers Exploit Critical GoAnywhere Bug to Spread Medusa Ransomware

More details have come to light about the exploitation activity linked to a previously disclosed critical deserialization bug in Fortra’s GoAnywhere MFT (CVE-2025-10035). 

Fortra issued an update with a patch on Sept. 18 for the flaw in GoAnywhere’s License Servlet Admin Console, which handles license validations. While Fortra did not (and still has not) said that the flaw is being exploited, researchers with watchTowr Labs on Sept. 25 pointed to “credible evidence of in-the-wild exploitation of Fortra GoAnywhere CVE-2025-10035 dating back to September 10, 2025.” Now, Microsoft researchers this week said they’re seeing the flaw being targeted in attacks by a threat group known for deploying Medusa ransomware.

What is CVE-2025-10035?

The vulnerability enables a threat actor with a validly forged license response signature to deserialize an attacker-controlled object. This could potentially lead to command injection and remote code execution. 

“The impact of CVE-2025-10035 is amplified by the fact that, upon successful exploitation, attackers could perform system and user discovery, maintain long-term access, and deploy additional tools for lateral movement and malware,” according to Microsoft researchers on Monday.

How are attackers leveraging CVE-2025-10035?

Microsoft researchers first identified exploitation activity dating back to Sept. 11 in a multi-stage attack, which they linked to a threat actor tracked as Storm-1175. The threat actor exploited the flaw before abusing several remote monitoring and management (RMM) tools like SimpleHelp and MeshAgent. The threat actor also used tools like netscan for network discovery, mstsc.exe for lateral movement, and Rclone for data exfiltration. 

“For command and control (C2), the threat actor utilized RMM tools to establish their infrastructure and even set up a Cloudflare tunnel for secure C2 communication,” according to Microsoft researchers. “Ultimately, in one compromised environment, the successful deployment of Medusa ransomware was observed.”

GoAnywhere and other managed file transfer platforms are attractive to threat actors because they often house sensitive and critical data from a wide number of organizations. Organizations are urged to upgrade to a patched version (the latest release is 7.8.4).

“Customers are advised to monitor their Admin Audit logs for suspicious activity and the log files for errors containing SignedObject.getObject: If this string is present in an exception stack trace (similar to the following), then the instance was likely affected by this vulnerability,” according to Fortra in its security advisory.