A cybercriminal group is exploiting a vulnerability in Fortra’s popular GoAnywhere file transfer tool to distribute Medusa ransomware, say researchers at Microsoft.
The researchers have attributed the exploitation to a group known as Storm-1175, who are known for utilizing this particular strain of ransomware and exploiting public-facing applications for initial access.
Tracked as CVE-2025-10035 and with a CVSS score of 10.0, the vulnerability is a critical deserialization flaw in GoAnywhere MFT’s License Servlet, and could enable threat actors to carry out command injection and Remote Code Execution (RCE) on affected systems. Because it doesn’t require authentication, this vulnerability is particularly dangerous for internet-exposed instances.
“The impact of CVE-2025-10035 is amplified by the fact that, upon successful exploitation, attackers could perform system and user discovery, maintain long-term access, and deploy additional tools for lateral movement and malware,” Microsoft said in its analysis of the vulnerability.
After exploiting the GoAnywhere vulnerability to gain initial access, threat actors dropped RMM payloads directly under the GoAnywhere MFT process and created .jsp files within the GoAnywhere MFT directory, which enabled them to execute user and system discovery commands. From there, they used mstsc.exe to move laterally within the compromised network.
Microsoft observed the deployment and execution of Rclone in at least one compromised environment, and the successful deployment of Medusa ransomware in another.
After discovering the vulnerability on September 11th, Fortra publicly disclosed and patched it on September 18th. However, the company declined to comment on how it was discovered or whether it had been actively exploited.
“This leaves security teams scrambling to assess risk and decide whether to assume continued exposure or to treat this as a prompt for a full incident response and forensic review,” said cybersecurity experts at watchTowr Labs in a vulnerability research report.
In their report, watchTowr Labs reported the vulnerability as having been exploited in the wild as early as September 10th—eight days before Fortra published its advisory.
Similarly, Microsoft stated that researchers first observed the flaw being exploited on the same day that Fortra reportedly discovered it.
Remediation Guidance
Since Microsoft released their report, Cybersecurity and Infrastructure Security Agency (CISA) has also confirmed the vulnerability as having been exploited in the wild and, given its active exploitation status, has ordered all federal civilian agencies to patch it by October 20th. Admins can do this by upgrading to a patched version—either 7.8.4 (latest) or 7.6.3 (Sustain Release).
However, upgrading to a patched version does not address previous exploitation activity.
As such, admins are also recommended to inspect log files for errors containing the string SignedObject.getObject to determine if an instance has been impacted, remove public internet exposure for the GoAnywhere Admin Console, review their license verification mechanisms, and closely monitor their GoAnywhere MFT environments for suspicious activity.
Microsoft also recommend utilizing an enterprise attack surface management tool to discover unpatched systems on the perimeter, and using perimeter firewalls and proxies to restrict servers from accessing the internet for arbitrary connections (like browsing and downloads) to help block malware downloads and command-and-control activity.
Read More
