Microsoft Confirms GoAnywhere Zero-Day Exploited in Medusa Ransomware Attacks (CVE-2025-10035)

MD

Microsoft Confirms GoAnywhere Flaw Used in Medusa Ransomware Attacks

CVE-2025-10035 • Critical RCE • Patch & forensic steps you must run now

Breaking

A critical zero-day in Fortra's GoAnywhere MFT (CVE-2025-10035, score 10.0) was exploited by a Medusa affiliate (Storm-1175) to deploy ransomware and exfiltrate data. Microsoft detected attacks starting Sept 11, 2025, before Fortra's patch on Sept 18, 2025.

Immediate risk: Remote code execution (RCE) — in some cases without authentication — enabling full system compromise and ransomware deployment.

Quick facts (bullet points)

• Vulnerability: CVE-2025-10035 — deserialization flaw in GoAnywhere License Servlet (<= 7.8.3)
• Severity: CVSS 10.0 (Critical)
• Exploiters: Storm-1175 (Medusa affiliate)
• Timeline: Exploited from Sept 11; patch released Sept 18, 2025
• Observed tools & techniques: RMM tools (SimpleHelp, MeshAgent), .jsp backdoors, Cloudflare tunnels, Rclone for exfiltration
• Exposure: 500+ GoAnywhere instances reported still accessible online (Shadowserver)

Attack chain — how Medusa moved from exploit to encryption

1. Initial access: Exploit deserialization bug to run code.
2. Persistence: Install RMM tools and hide in legitimate directories.
3. Post-exploitation: Drop .jsp web shells, scan networks, collect credentials.
4. Lateral movement: Use RDP and tools to move across systems.
5. C2 & exfiltration: Cloudflare tunnels for C2 and Rclone to steal files.
6. Ransomware deployment: Deploy Medusa payload and encrypt data.

Key warning: Patch alone doesn't guarantee safety — attackers who exploited systems before patching may have installed backdoors. Conduct forensic reviews even after updating.

Recommendations — what to do right now

• Upgrade GoAnywhere MFT to the latest patched version immediately.
• Block external access to GoAnywhere Admin Consoles from the internet.
• Enable EDR in block mode and apply Attack Surface Reduction rules.
• Search logs for "SignedObject.getObject" errors — indicator of exploitation.
• Look for RMM tools (SimpleHelp, MeshAgent), suspicious .jsp files, and Cloudflare tunnel processes.
• If you detect compromise, isolate affected systems and start a forensic investigation before reimaging or restoring backups.

Why Fortra came under criticism

Fortra released a patch on Sept 18, but security researchers say active exploitation began on Sept 11. Critics accused the vendor of not adequately warning customers about active attacks during the window between exploitation and patch availability.

Bottom line

This campaign is a reminder that enterprise file-transfer tools — even when trusted — can become critical attack vectors. Immediate patching, network lockdowns, and forensic checks are essential.

Key takeaways

• CVE-2025-10035 = critical RCE used in real-world Medusa attacks.
• Exploit observed before patch — treat all GoAnywhere MFT instances as potentially compromised until proven otherwise.
• Patch, then hunt for indicators and remove persistence mechanisms.

Quick actions

If you manage GoAnywhere MFT, take these actions now.

Indicators to search:

SignedObject.getObject
SimpleHelp
MeshAgent
*.jsp in GoAnywhere dirs
Cloudflare tunnel processes
Rclone activity

Full article on:

techupdates369.site

Share this alert

Quick text for social sharing or incident alerting teams.

Critical: CVE-2025-10035 in GoAnywhere exploited by Medusa (Storm-1175). Patch now and hunt for indicators. https://www.techupdates369.site

Published: Oct 8, 2025 • Tags: Ransomware, GoAnywhere, Medusa, Cybersecurity