.png)
1 month ago
4
Medusa ransomware affiliates are among those exploiting a maximum-severity bug in Fortra's GoAnywhere managed file transfer (MFT) product, according to Microsoft Threat Intelligence.
Fortra disclosed the 10.0-rated deserialization vulnerability tracked as CVE-2025-10035 on September 18. At the time, the vendor warned the flaw could trick the License Servlet - that's the GoAnywhere MFT license-checking component - into deserializing attacker-controlled Java objects by forging a license response that passes signature verification. This can lead to command injection and potential remote code execution.
Plus, after exploiting the vulnerability, miscreants can snoop around the compromised system, drop backdoors to ensure long-term access, and deploy malware droppers and other tools for lateral movement.
Now, Microsoft's threat trackers are warning that it's been exploited. "A cybercriminal group tracked by Microsoft Threat Intelligence as Storm-1175, known for deploying Medusa ransomware and exploiting public-facing applications for initial access, was observed exploiting the vulnerability," Redmond said on Monday.
So if you still haven't upgraded to a patched version, do that immediately. And, as exploitation is "highly dependent upon systems being externally exposed to the internet," according to Fortra, lock down access to the GoAnywhere Admin Console now.
Microsoft researchers spotted Storm-1175 exploitation activity affecting "multiple organizations" on September 11, according to the Monday report.
After exploiting the deserialization vulnerability as a zero-day, the ransomware slingers abused GoAnywhere MFT processes to deploy SimpleHelp and MeshAgent, both remote monitoring and management (RMM) tools, to maintain persistence. They also dropped the RMM binaries directly under the GoAnywhere MFT process and created .jsp files.
Next, the attackers executed user and system discovery commands, deployed netscan for network discovery, and achieved lateral movement via mstsc.exe.
They set up a Cloudflare tunnel for secure C2 communication, and executed Rclone for copying and exfiltrating data in at least one victim environment, the Redmond threat-hunters said. "Ultimately, in one compromised environment, the successful deployment of Medusa ransomware was observed," the threat intel team added.
Microsoft declined to answer The Register's questions about the exploitation, including how many orgs were hit, and whether the activity remained ongoing.
It's worth noting that Fortra's advisory still doesn't say anything about in-the-wild abuse of CVE-2025-10035. The vendor didn't immediately respond to The Register's inquiries.
- Ding ding: Fortra rings the perfect-10 bell over latest GoAnywhere MFT bug
- 'An attacker's playground:' Crims exploit GoAnywhere perfect-10 bug
- Medusa ransomware affiliate tried triple extortion scam – up from the usual double demand
- Level-10 vuln lurking in Redis source code for 13 years could allow remote code execution
WatchTowr CEO and founder Benjamin Harris, who back in September criticized Fortra for not sharing details about the exploitation, told The Register that Microsoft's report linking the attacks to a Medusa affiliate "confirmed what we feared. Organizations running GoAnywhere MFT have effectively been under silent assault since at least September 11, with little clarity from Fortra."
Now that we know at least one of the group is exploiting the CVE, what they did with that access, and how much of a headstart they had on network defenders, "what's still missing are the answers only Fortra can provide," Harris continued.
"How did threat actors get the private keys needed to exploit this? Why were organizations left in the dark for so long? Customers deserve transparency, not silence," he said. "We hope they will share in the very near future so affected or potentially affected organizations can understand their exposure to a vulnerability that is being actively exploited in the wild." ®
