Microsoft Warns: Critical GoAnywhere Bug Actively Exploited in Medusa Ransomware Campaign

🎙️ Dive Deeper with Our Podcast!
GoAnywhere Zero-Day Exploitation by Medusa Ransomware

👉 Listen to the Episode: https://technijian.com/podcast/zimbra-zero-day-exploitation-via-calendar-invitations/
Subscribe: Youtube | Spotify | Amazon

In a concerning development for enterprise cybersecurity, Microsoft has confirmed that a critical vulnerability in Fortra’s GoAnywhere MFT platform is being actively weaponized by ransomware operators. The Storm-1175 cybercrime group has been exploiting this maximum-severity flaw for nearly a month, targeting organizations with sophisticated Medusa ransomware attacks that have already compromised multiple victims.

This revelation underscores the persistent threat landscape facing businesses that rely on managed file transfer solutions, particularly when zero-day vulnerabilities fall into the hands of experienced ransomware affiliates.

Understanding the GoAnywhere MFT Vulnerability

The security flaw, designated as CVE-2025-10035, represents a significant threat to organizations using Fortra’s web-based secure transfer tool. At its core, this vulnerability stems from a deserialization of untrusted data weakness within the License Servlet component of GoAnywhere MFT.

What makes this vulnerability particularly dangerous is its exploitability profile. Attackers can leverage CVE-2025-10035 remotely without requiring any user interaction, and the complexity of exploitation remains low. These characteristics make it an attractive target for threat actors seeking rapid initial access to corporate networks.

The Shadowserver Foundation has identified over 500 GoAnywhere MFT instances currently exposed to the internet, creating a substantial attack surface for cybercriminals. However, the exact number of patched versus vulnerable systems remains uncertain, highlighting the urgency for administrators to verify their security posture.

Timeline of Discovery and Exploitation

The timeline surrounding CVE-2025-10035 reveals a troubling pattern of zero-day exploitation. Fortra released a patch for the vulnerability on September 18, 2025, but notably did not disclose any active exploitation at that time. This silence proved significant when security researchers at WatchTowr Labs independently discovered evidence of in-the-wild exploitation just one week later.

According to WatchTowr Labs, credible evidence suggested that threat actors had been leveraging CVE-2025-10035 as a zero-day vulnerability since September 10, 2025—eight days before the patch became available. This head start gave attackers a critical window to compromise vulnerable systems before defenders could respond.

Microsoft’s confirmation today provides additional clarity on the exploitation timeline, verifying that the Storm-1175 ransomware affiliate began targeting this vulnerability on or around September 11, 2025. This near-immediate weaponization of the security flaw demonstrates the sophisticated capabilities and rapid response mechanisms employed by modern ransomware operations.

Inside the Storm-1175 Attack Chain

Microsoft Defender researchers have documented the complete attack methodology employed by Storm-1175, revealing a multi-stage operation that follows established tactics, techniques, and procedures.

Initial Access and Persistence

The attack begins with exploitation of the GoAnywhere MFT deserialization vulnerability, granting the threat actors their initial foothold within the target environment. Once inside, Storm-1175 immediately focuses on establishing persistent access through the abuse of legitimate remote monitoring and management tools.

Specifically, the group deploys two RMM platforms: SimpleHelp and MeshAgent. By leveraging these legitimate administrative tools, the attackers create covert backdoors that blend into normal network traffic and are less likely to trigger security alerts.

Reconnaissance and Lateral Movement

After securing persistence, Storm-1175 launches the RMM binaries and deploys Netscan for comprehensive network reconnaissance. This allows the attackers to map the victim’s network architecture, identify valuable targets, and locate critical systems containing sensitive data.

The group then executes various commands for user and system discovery, gathering information about privileges, accounts, and potential escalation paths. Armed with this intelligence, they move laterally throughout the compromised network using the Microsoft Remote Desktop Connection client, systematically expanding their control over the environment.

Data Exfiltration and Encryption

In the final stages of the attack, Storm-1175 deploys Rclone—a legitimate cloud storage management tool—to exfiltrate stolen data from at least some victim environments. This data theft serves the dual purpose of providing leverage for ransom negotiations and creating additional extortion opportunities through threatened data leaks.

The attack culminates with the deployment of Medusa ransomware payloads across compromised systems, encrypting files and rendering business operations inoperable until victims either pay the ransom or restore from backups.

The Medusa Ransomware Operation

The Medusa ransomware operation represents a significant threat to critical infrastructure across the United States. In March 2025, the Cybersecurity and Infrastructure Security Agency issued a joint advisory with the FBI and the Multi-State Information Sharing and Analysis Center, warning that Medusa had already impacted over 300 critical infrastructure organizations nationwide.

This widespread impact demonstrates the effectiveness of the Medusa operation and its various affiliate groups, including Storm-1175. The ransomware-as-a-service model enables multiple threat actors to leverage the same malicious infrastructure while customizing their attack techniques.

Storm-1175’s History of Exploitation

This is not the first time Storm-1175 has made headlines for exploiting critical vulnerabilities. Microsoft previously linked the threat group to attacks in July 2024 that exploited a VMware ESXi authentication bypass vulnerability. Those campaigns resulted in the deployment of both Akira and Black Basta ransomware across victim networks.

This pattern of rapidly weaponizing newly disclosed or zero-day vulnerabilities reveals Storm-1175’s sophisticated technical capabilities and access to advanced exploit development resources. The group’s ability to pivot between different ransomware families also suggests either a financially motivated affiliate model or close relationships with multiple ransomware operators.

Mitigation and Defense Strategies

Both Microsoft and Fortra have issued guidance for organizations seeking to protect their GoAnywhere MFT deployments from exploitation.

Immediate Actions

The most critical step is upgrading all GoAnywhere MFT instances to the latest patched versions. Organizations should treat this as an emergency maintenance activity given the active exploitation and potential for rapid compromise.

Fortra has provided specific guidance for detecting potential compromise. Administrators should examine their log files for stack trace errors containing the “SignedObject.getObject” string, which may indicate exploitation attempts or successful breaches.

Comprehensive Security Measures

Beyond patching, organizations should implement defense-in-depth strategies. This includes network segmentation to limit lateral movement opportunities, enhanced monitoring of RMM tool usage to detect unauthorized deployments, and implementation of application allowlisting to prevent execution of unauthorized tools like Netscan and Rclone.

Regular security assessments should verify that managed file transfer platforms are not unnecessarily exposed to the internet. Where internet exposure is required, additional access controls such as IP allowlisting and multi-factor authentication can provide additional protection layers.

Frequently Asked Questions

1.What is CVE-2025-10035?

CVE-2025-10035 is a critical deserialization vulnerability in Fortra’s GoAnywhere MFT platform that allows remote attackers to exploit the system without user interaction. The flaw exists in the License Servlet component and has been assigned a maximum severity rating.

2. How do I know if my GoAnywhere MFT instance has been compromised?

Check your log files for stack trace errors containing the string “SignedObject.getObject,” which may indicate exploitation attempts. Additionally, look for unexpected RMM tools like SimpleHelp or MeshAgent, unusual network scanning activity, or unauthorized use of tools like Rclone.

3. What is the Storm-1175 threat group?

Storm-1175 is a cybercrime group tracked by Microsoft that operates as a Medusa ransomware affiliate. The group has a history of quickly exploiting newly discovered vulnerabilities and has been linked to previous attacks using VMware ESXi flaws to deploy Akira and Black Basta ransomware.

4. Is there a patch available for this vulnerability?

Yes, Fortra released a patch on September 18, 2025. All organizations using GoAnywhere MFT should immediately upgrade to the latest version to protect against exploitation.

5. What makes this vulnerability particularly dangerous?

The combination of maximum severity, remote exploitability, low attack complexity, and no required user interaction makes CVE-2025-10035 extremely dangerous. Additionally, active exploitation by skilled ransomware operators increases the urgency of patching.

6. What industries are most at risk from Medusa ransomware?

Based on CISA advisories, Medusa has particularly targeted critical infrastructure organizations, with over 300 such entities compromised across the United States. However, any organization using vulnerable GoAnywhere MFT instances faces risk.

7. How quickly was this vulnerability exploited after discovery?

Evidence suggests exploitation began around September 10, 2025—eight days before the patch was released. This means the vulnerability was exploited as a zero-day before most organizations were aware of its existence.

8. What should I do if I suspect my organization has been compromised?

Immediately isolate affected systems, engage your incident response team, preserve logs for forensic analysis, and contact law enforcement. Consider engaging a cybersecurity firm specializing in ransomware incident response to assist with containment and recovery.

How Technijian Can Help

Navigating the complex landscape of cybersecurity threats like the GoAnywhere MFT vulnerability requires specialized expertise and proactive security measures. Technijian offers comprehensive cybersecurity solutions designed to protect your organization from ransomware attacks and zero-day exploits.

Our team of certified security professionals provides vulnerability assessment services to identify exposed systems within your infrastructure, including managed file transfer platforms and other critical applications. We deliver rapid patch management services to ensure your systems receive security updates immediately upon release, eliminating the dangerous window of vulnerability exploitation.

Technijian’s 24/7 security monitoring services detect suspicious activities like unauthorized RMM tool deployment, unusual network scanning, and data exfiltration attempts before they escalate into full-scale ransomware incidents. Our incident response team stands ready to contain threats, perform forensic analysis, and guide your organization through recovery procedures if compromise occurs.

We also provide strategic security consulting to implement defense-in-depth architectures, establish proper network segmentation, and develop comprehensive ransomware response plans tailored to your specific business requirements. Our training programs educate your IT staff on emerging threats and best practices for maintaining secure file transfer operations.

Don’t wait for a ransomware attack to expose vulnerabilities in your infrastructure. Contact Technijian today to schedule a comprehensive security assessment and fortify your defenses against sophisticated threat actors like Storm-1175. Our proactive approach to cybersecurity ensures your organization stays protected against both known vulnerabilities and emerging threats.

Visit our website or call our security operations center to speak with a specialist about protecting your managed file transfer platforms and securing your entire IT environment against ransomware threats.

About Technijian

Technijian is a premier managed IT services provider, committed to delivering innovative technology solutions that empower businesses across Southern California. Headquartered in Irvine, we offer robust IT support and comprehensive managed IT services tailored to meet the unique needs of organizations of all sizes. Our expertise spans key cities like Aliso Viejo, Anaheim, Brea, Buena Park, Costa Mesa, Cypress, Dana Point, Fountain Valley, Fullerton, Garden Grove, and many more. Our focus is on creating secure, scalable, and streamlined IT environments that drive operational success.

As a trusted IT partner, we prioritize aligning technology with business objectives through personalized IT consulting services. Our extensive expertise covers IT infrastructure management, IT outsourcing, and proactive cybersecurity solutions. From managed IT services in Anaheim to dynamic IT support in Laguna Beach, Mission Viejo, and San Clemente, we work tirelessly to ensure our clients can focus on business growth while we manage their technology needs efficiently.

At Technijian, we understand modern challenges such as attempts to hack Gmail, rising security concerns highlighted by cases like the T-Mobile lawsuit, and evolving communication technologies including RCS message standards. To address these, we provide a suite of flexible IT solutions designed to enhance performance, protect sensitive data, and strengthen cybersecurity. Our services include cloud computing, network management, IT systems management, and disaster recovery planning. We extend our dedicated support across Orange, Rancho Santa Margarita, Santa Ana, and Westminster, ensuring businesses stay adaptable and future-ready in a rapidly evolving digital landscape. Cyber threats are no longer limited to large corporations—small and mid-sized businesses are increasingly being targeted due to weaker defenses. That’s why Technijian emphasizes proactive monitoring, endpoint protection, and multi-layered security protocols that reduce the risk of downtime and data breaches.

Beyond security, we also focus on compliance and regulatory readiness. Whether it’s HIPAA, PCI DSS, or SOC 2 standards, our team ensures that businesses remain audit-ready and avoid costly penalties while maintaining trust with customers.

We also recognize the importance of scalable IT strategies. From supporting hybrid workplaces to deploying advanced collaboration tools, we design infrastructures that evolve with your company’s growth. Coupled with our 24/7 helpdesk and rapid incident response, you can count on Technijian not just as an IT provider, but as a long-term partner in business resilience.

Our proactive approach to IT management also includes help desk support, cybersecurity services, and customized IT consulting for a wide range of industries. We proudly serve businesses in Laguna Hills, Newport Beach, Tustin, Huntington Beach, and Yorba Linda. Our expertise in IT infrastructure services, cloud solutions, and system management makes us the go-to technology partner for businesses seeking reliability and growth.

Partnering with Technijian means gaining a strategic ally dedicated to optimizing your IT infrastructure. Experience the Technijian Advantage with our innovative IT support services, expert IT consulting, and reliable managed IT services in Irvine. We proudly serve clients across Irvine, Orange County, and the wider Southern California region, helping businesses stay secure, efficient, and competitive in today’s digital-first world.