Microsoft GoAnywhere Flaw Fuels Ransomware Attacks
▼ Summary
– Storm-1175 is exploiting a critical GoAnywhere MFT vulnerability (CVE-2025-10035) in Medusa ransomware attacks since at least September 11, 2025.
– The vulnerability is a remote deserialization flaw in Fortra’s GoAnywhere MFT that requires no user interaction and was patched on September 18.
– Attackers use tactics like abusing RMM tools for persistence, conducting network reconnaissance, and moving laterally with Remote Desktop to deploy ransomware.
– Over 500 GoAnywhere MFT instances are exposed online, and organizations are advised to upgrade to the latest version and inspect logs for signs of compromise.
– Medusa ransomware has previously impacted over 300 U.S. critical infrastructure organizations, and Storm-1175 has been linked to other high-profile attacks.
A significant security vulnerability within Fortra’s GoAnywhere MFT secure file transfer platform is currently being leveraged by ransomware attackers to infiltrate corporate networks. Identified as CVE-2025-10035, this maximum severity flaw stems from a deserialization weakness in the License Servlet, allowing remote exploitation without any user interaction. Security researchers have observed over 500 instances of the software exposed online, though the patching status across these systems remains uncertain.
The cybercrime group tracked as Storm-1175, a known affiliate of the Medusa ransomware operation, has been actively exploiting this vulnerability since at least September 11, 2025. Microsoft Defender researchers confirmed the group’s involvement, noting their use of tactics consistent with previous campaigns. For initial network access, the threat actors exploited the then-zero-day deserialization vulnerability in GoAnywhere MFT. To maintain persistence within compromised environments, they abused legitimate remote monitoring and management tools, specifically SimpleHelp and MeshAgent.
Following initial compromise, the attackers executed a multi-stage intrusion process. They launched RMM binaries, used Netscan for network reconnaissance, and ran various commands to discover users and systems. Lateral movement across the network was achieved using the Microsoft Remote Desktop Connection client. In at least one victim’s environment, the group deployed Rclone to exfiltrate stolen files before ultimately launching Medusa ransomware payloads to encrypt data.
This is not the first time the Medusa operation has drawn attention from authorities. Earlier this year, a joint advisory from CISA, the FBI, and MS-ISAC highlighted that the ransomware had impacted more than 300 critical infrastructure organizations across the United States. Furthermore, Microsoft previously linked the Storm-1175 group to attacks exploiting a VMware ESXi authentication bypass flaw, which led to deployments of Akira and Black Basta ransomware.
To protect against these ongoing attacks, organizations using GoAnywhere MFT are urged to upgrade immediately to the latest patched version. Fortra has also recommended that administrators inspect their log files for stack trace errors containing the SignedObject.getObject string, which can help determine if their instance has already been compromised.
(Source: Bleeping Computer)
