GoAnywhere 0-Day RCE Actively Exploited to Deliver Medusa Ransomware

A critical zero-day vulnerability in GoAnywhere MFT’s License Servlet is being actively exploited to deploy Medusa ransomware.

On September 18, 2025, Fortra released an advisory disclosing CVE-2025-10035, a deserialization flaw with a perfect CVSS score of 10.0.

Threat actors tracked as Storm-1175 have abused this issue to gain remote code execution (RCE) on exposed systems, leading to widespread compromise.

Vulnerability Analysis

CVE-2025-10035 resides in GoAnywhere MFT versions up to 7.8.3. The flaw allows an attacker to forge a license response signature and bypass signature verification.

By sending a crafted response, the attacker triggers deserialization of arbitrary, attacker-controlled objects. This in turn enables command injection and full RCE.

Because the vulnerability can be exploited without authentication when valid responses are crafted or intercepted, any internet-facing GoAnywhere deployment is at serious risk.

Successful exploitation grants the actor the ability to run system and user discovery commands. It also permits installation of additional tools for lateral movement.

Public guidance strongly urges immediate updating to the patched GoAnywhere MFT release and reviewing license verification configurations.

Monitoring for unusual requests to the license servlet is also recommended to detect exploitation attempts early.

Exploitation Activity by Storm-1175

Microsoft Threat Intelligence identified active exploitation beginning September 11, 2025. Storm-1175’s campaign follows a consistent multi-stage pattern:

• Initial Access: Exploitation of the zero-day deserialization vulnerability in the License Servlet grants RCE.
• Persistence: Attackers drop remote monitoring and management (RMM) tools—SimpleHelp and MeshAgent—directly into the GoAnywhere process, and deploy web shells via .jsp files in the application directories.
• Discovery: The threat actors execute commands such as whoami, systeminfo, and net user to map the environment and deploy network scanning tools.
• Lateral Movement: RDP sessions using mstsc.exe facilitate movement between hosts.
• Command and Control: RMM tools establish persistent control, often using a Cloudflare tunnel to secure traffic.
• Exfiltration: Rclone is used to collect and transfer data from compromised networks.
• Ransomware Deployment: Final payloads of Medusa ransomware encrypt systems, demanding payment for decryption keys.

Mitigation and Protection Guidance

To defend against this threat, organizations should immediately upgrade GoAnywhere MFT to the latest patched version as per Fortra’s advisory.

Because patching does not undo prior exploitation, thorough investigation of systems suspected of compromise is essential. Restrict outbound internet access for servers to prevent malicious downloads and C2 communications.

Deploy endpoint detection and response (EDR) in block mode to ensure any malicious artifacts are halted, even if they bypass antivirus scans.

Enable automated investigation and remediation to allow rapid response to alerts. Turn on attack surface reduction rules to block common ransomware methods, including preventing web shell creation and restricting executable launches based on trust metrics.

Use an external attack surface management solution to discover unpatched GoAnywhere instances. Continuously monitor license servlet traffic for suspicious signature verification failures.

Finally, leverage Microsoft Defender vulnerability management and XDR capabilities to detect vulnerable devices, alert on exploitation attempts, and coordinate detection and response across the environment.

By combining rapid patching, stringent network controls, and advanced endpoint security, organizations can mitigate the risk posed by this high-severity GoAnywhere MFT vulnerability and disrupt Storm-1175’s Medusa ransomware campaigns.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.