A vulnerability in Fortra’s GoAnywhere Managed File Transfer (MFT) tool with a CVSS score of 10.0 is being actively exploited in ransomware attacks, Microsoft has warned.
The tech giant published a blog post yesterday to urge customers to patch CVE-2025-10035: a critical deserialization flaw in GoAnywhere MFT’s License Servlet Admin Console.
“It enables an attacker to bypass signature verification by crafting a forged license response signature, which then allows the deserialization of arbitrary, attacker-controlled objects,” Microsoft explained.
“Successful exploitation could result in command injection and potential RCE [remote code execution] on the affected system. Public reports indicate that exploitation does not require authentication if the attacker can craft or intercept valid license responses, making this vulnerability particularly dangerous for internet-exposed instances.”
Following exploitation, threat actors can perform system and user discovery, maintain long-term access and deploy other tools for lateral movement and malware, it added.
Read more on GoAnywhere: Exploit Code Released for Critical Fortra GoAnywhere Bug
Although patched by developer Fortra on September 18, the vulnerability was originally exploited as a zero day a week earlier (September 11) by threat group Storm-1175.
Following initial access, the group launched binaries from legitimate remote monitoring and management (RMM) tools SimpleHelp and MeshAgent, used tools like netscan for network discovery and moved laterally using the Microsoft Remote Desktop Connection client (“mstsc.exe”).
“For command-and-control (C2), the threat actor utilized RMM tools to establish their infrastructure and even set up a Cloudflare tunnel for secure C2 communication,” the report continued.
“During the exfiltration stage, the deployment and execution of Rclone was observed in at least one victim environment. Ultimately, in one compromised environment, the successful deployment of Medusa ransomware was observed.”
According to the Shadowserver Foundation, there are 513 GoAnywhere instances currently exposed, most of which (363) are located in North America.
Medusa Strikes Again
First identified in 2021, Medusa has snared over 300 global victims in critical infrastructure sectors, according to a joint advisory from March published by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC).
It claimed over 40 victims in the first two months of 2025 alone, including a confirmed attack on a US healthcare organization.
The affiliates using the ransomware-as-a-service variant usually achieve initial access either through phishing campaigns or by exploiting unpatched software vulnerabilities. In previous campaigns, they’ve used a ScreenConnect authentication bypass (CVE-2024-1709) and Fortinet EMS SQL injection flaw (CVE-2023-48788).
Microsoft urged GoAnywhere customers to:
- Upgrade to the latest version of the software in line with Fortra’s recommendations
- Use an enterprise attack surface management product to discover unpatched systems on the network perimeter
- Check the perimeter firewall and proxy to ensure servers are not allowed to access the internet for arbitrary connections, like browsing and downloads
- Run endpoint detection and response (EDR) tools in block mode to remediate malicious artifacts detected post-breach
- Turn on block mode in corporate anti-virus products
