Medusa Ransomware Group Actively Exploiting Critical GoAnywhere Flaw

The Storm-1175 group, linked to the operators behind the Medusa ransomware, has been actively exploiting a critical vulnerability in GoAnywhere MFT for nearly a month to infiltrate corporate networks. The flaw, tracked as CVE-2025-10035, affects Fortra’s secure file-transfer web platform and stems from an unauthenticated data deserialization error in the License Servlet component. The vulnerability can be exploited remotely, without user interaction, and requires minimal technical complexity.

According to the Shadowserver Foundation, more than 500 GoAnywhere MFT instances remain exposed online, though it is unclear how many have already been patched. While Fortra issued a fix on September 18, there were no confirmed signs of active exploitation at that time. However, just a week later, researchers at WatchTowr Labs reported that the flaw had been exploited as a zero-day since at least September 10, when verified evidence of attacks first emerged.

Microsoft later corroborated these findings, confirming that Storm-1175 had been leveraging the exploit since September 11 to gain initial access to targeted infrastructures. The company’s analysts observed activity consistent with the group’s established tactics. Once inside, attackers deployed SimpleHelp and MeshAgent for remote administration, conducted network scans using Netscan, executed reconnaissance commands to gather user and host data, and moved laterally through internal systems using the Microsoft Remote Desktop client (mstsc.exe).

After achieving network propagation, the threat actors installed Rclone to exfiltrate data and subsequently deployed the Medusa ransomware payload, encrypting victims’ systems.

Earlier, in March, CISA, together with the FBI and MS-ISAC, had warned that Medusa operations had already compromised more than 300 U.S. critical-infrastructure entities. In July 2024, Microsoft linked Storm-1175 to campaigns exploiting authentication-bypass flaws in VMware ESXi, which were used to distribute the Akira and Black Basta ransomware families.

Both Microsoft and Fortra urge administrators to immediately update GoAnywhere MFT to the latest version and to inspect system logs for errors containing the string SignedObject.getObject — a clear indicator of attempted exploitation.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy