Medusa ransomware attacks are actively exploiting a critical vulnerability identified in the GoAnywhere MFT secure web-based file transfer tool of Fortra. Microsoft’s Threat Intelligence Team reported that a threat group identified as Storm-1175 is exploiting the vulnerability using Medusa ransomware after finding the vulnerability in public-facing applications.
CVE-2025-10035 is a zero-day deserialization vulnerability that has a CVSS base score of 10. As per Fortra, a threat actor that has a validly falsified license response signature can deserialize an arbitrary actor-operated object. If successful in exploiting the vulnerability, it’s possible to execute unauthorized command injection that can possibly result in remote code execution. Fortra posted a security notice regarding the vulnerability on September 18, 2025. It is mentioned in the notice that the vulnerability is affecting the GoAnywhere MFT’s License Servlet Admin Console version 7.8.3, as well as earlier versions. Fortra has fixed the vulnerability in version 7.8.4 and in the Sustain version 7.6.3.
Microsoft discovered attacks taking advantage of the vulnerability at several companies on September 11, 2025, though the threat intelligence firm watchTowr says that attacks began on September 10, 2025, over one week before the issuance of Fortra’s security advisory. Microsoft has noticed Storm-1175 deploying remote monitoring and management (RMM) tools, including MeshAgent and SimpleHelp for persistence, and in certain instances, generating .jsp files inside GoAnywhere MFT directories.
The threat group creates persistence, installs secure C2 communications, and uses more tools and malware payloads to help in discovering network and lateral movement. Lateral movement is attained using mstsc.exe. The threat group finds and extracts sensitive information and has deployed Rclone to extract data in one attack. Following data extraction, the group uses the Medusa ransomware for file encryption. Exposure of sensitive data could have been avoided with proper HIPAA encryption.
Fortra advises all users to check their GoAnywhere Admin Console connection to the Internet and to install the latest version of GoAnywhere. Because the vulnerability was exploited beginning September 11, 2025, it is not enough to implement patching. After installing the latest software update, users must check for indications of compromise. Users are instructed to watch out for suspicious activity in their Admin Audit logs and to check the log files for errors that contain SignedObject.getObject: In case this string is found in an exception stack trace, the vulnerability probably impacted the tool.
On September 29, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) listed the vulnerability on its Known Exploited Vulnerability Catalog. By October 20, 2025, all federal civilian agencies need to apply Fortra’s mitigations.
Image credit: Keopaserth, AdobeStock / logo©FortraGoAnywhere
