Cybercriminals exploited a critical deserialization flaw in Fortra’s GoAnywhere Managed File Transfer (MFT) tool—tracked as CVE-2025-10035—to drop Medusa ransomware, Microsoft disclosed Monday.
The campaign, attributed to a group Microsoft tracks as Storm-1175, illustrates how file-transfer infrastructure once again becomes a staging ground for high-impact attacks.
According to Microsoft, Storm-1175 used the vulnerability to gain initial access into target networks. Once inside, attackers deployed remote administration tools like SimpleHelp and MeshAgent before escalating privileges and spreading laterally.
The impact was severe. After exploitation, adversaries conducted system and user discovery, maintained long-term access, and prepared the environment to deploy ransomware.
How the Vulnerability Worked
CVE-2025-10035 resides in GoAnywhere MFT’s License Servlet and stems from unsafe deserialization logic. Attackers forge a “valid license response signature” and cause the servlet to deserialize attacker-controlled objects, triggering command injection. Fortra confirmed the flaw in its advisory and published patches for version 7.8.4 (and updated sustain release 7.6.3) to remediate it.
Security researchers say the vulnerability isn’t stand-alone. Rapid7 flagged a multi-step chain combining an access control bypass (dating from 2023) with the unsafe deserialization flaw and a yet-unconfirmed mechanism related to the license key structure. Exploitation requires that the GoAnywhere Admin Console or the license endpoint be externally accessible.
In 2023, the GoAnywhere platform had already been subject to compromise via CVE-2023-0669, which was weaponized by ransomware operators, illustrating that attackers have considered GoAnywhere a valuable target.
From File Transfer to Medusa Ransomware Deployment
Once attackers breached a GoAnywhere instance, they typically uploaded webshells disguised within the MFT environment to establish a foothold. Microsoft observed lateral movement beginning with remote monitoring tools, followed by reconnaissance and staging of Medusa payloads.
The attack chain indicates that the vulnerability did not directly encrypt files; instead, it served as a pivot into the network where Medusa victims were selected and encrypted later.
Storm-1175 has been active in the ransomware ecosystem and is known for targeting public-facing applications for initial access. The group’s use of GoAnywhere demonstrates how criminals reuse known tools in new exploitation vectors. Medusa itself has targeted more than 300 critical infrastructure organizations to date, employing double-extortion tactics and public leak sites to pressure victims.
According to Cyble, a cybersecurity threat intelligence firm, the group has seen a 45% increase in its operations in 2025 compared to the previous year.
Also read: Medusa Ransomware Surge: 60 Victims in 3 Months—Are You Next?
Detection tips in Microsoft’s advisory focused on both network and host artifacts. Incident responders were told to search for anomalous HTTP POSTs to admin endpoints, newly created JSP/WAR files in webapp paths, unexplained scheduled tasks and unusual Java process invocations. Microsoft published IOCs and suggested hunting for the specific webshell file names and hashes it observed, while recommending telemetry collection for process command lines and file-write events tied to the MFT server user.