Medusa Ransomware Exploiting GoAnywhere MFT Flaw, Confirms Microsoft

A CVSS 10.0 deserialization vulnerability in Fortra’s GoAnywhere Managed File Transfer (MFT) solution is now being actively exploited by the Medusa ransomware group, according to a latest update from Microsoft.

The flaw, reported on September 25 by Hackread.com, is a dangerous deserialization vulnerability residing in the MFT’s License Servlet. This allows an attacker to achieve unauthenticated Remote Code Execution (RCE) and full system takeover.

By forging a license response signature, an attacker can bypass security checks, forcing the software to execute malicious code. This high-risk RCE capability makes all internet-exposed GoAnywhere instances highly vulnerable.

****The Exploitation Timeline and Independent Confirmation****

Although Fortra published an alert and patch on September 18, 2025, security researchers from watchTowr Labs found exploitation activity dating back to September 10, 2025, eight days before Fortra’s public advisory.

Detailed post-exploitation analysis from watchTowr Labs shows a consistent pattern: After achieving RCE, attackers established persistence by creating a covert administrative account named ‘admin-go’.

They then moved laterally by dropping binaries for legitimate Remote Monitoring and Management (RMM) tools like SimpleHelp and MeshAgent. The watchTowr team also suggested that Fortra’s advisory section on “Am I Impacted?” was a veiled method to share signs of compromise without fully admitting to the in-the-wild exploitation.

****Medusa Ransomware Confirmed****

The risk escalated significantly with an October 6, 2025, update from Microsoft Threat Intelligence. Microsoft confirmed that a cybercriminal group they track as Storm-1175, a known affiliate of Medusa ransomware, was observed actively targeting organisations starting on September 11, 2025.

In detailing this multi-stage attack, Microsoft confirmed the vulnerability exploitation led to command injection, system discovery, the use of RMM tools for persistent access, and ultimately, the successful deployment of Medusa ransomware in at least one compromised environment. Attackers were also observed using data transfer tools like Rclone for data exfiltration and setting up Cloudflare tunnels for secure Command and Control (C2).

“Just weeks after we confirmed evidence of in-the-wild exploitation of CVE-2025-10035, Microsoft has now linked the attacks to a known Medusa ransomware affiliate, confirming what we feared,” said watchTowr CEO and Founder, Benjamin Harris. Harris stressed that organisations using GoAnywhere MFT “have effectively been under silent assault since at least September 11, with little clarity from Fortra.”

****Immediate Action Required****

Fortra has urgently advised customers to upgrade to the patched versions: version 7.8.4 or the Sustain Release 7.6.3. The vulnerability’s severe nature has led to its addition to the CISA Known Exploited Vulnerabilities (KEV) Catalogue.

All organisations with exposed systems must apply the patch immediately to prevent future attacks. Given the confirmed exploitation activity, a full forensic review is necessary for systems that were exposed to determine if an initial compromise occurred before the update was applied.