Critical GoAnywhere MFT Vulnerability Actively Exploited by Medusa Ransomware

A critical vulnerability in Fortra’s GoAnywhere Managed File Transfer (MFT) software, tracked as CVE-2025-10035, is being actively exploited in ransomware attacks by a cybercrime group known as Storm-1175. The flaw, which carries a maximum CVSS score of 10.0, allows unauthenticated remote code execution. Evidence indicates that exploitation began as a zero-day attack nearly a week before Fortra’s public disclosure, with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) adding it to its Known Exploited Vulnerabilities catalog on September 29, 2025⁹.

This incident mirrors the mass exploitation of a similar GoAnywhere flaw, CVE-2023-0669, by the Cl0p ransomware gang in 2023, which impacted over 130 organizations⁷. The recurrence of a critical vulnerability in the same enterprise file transfer product, a “crown jewel” target handling sensitive financial and personal data, raises significant concerns about the security of these systems⁴.

Executive Summary for Security Leadership

A maximum severity (CVSS 10.0) deserialization vulnerability in Fortra’s GoAnywhere MFT product is under active exploitation by the Medusa ransomware operation. Threat actors, tracked as Storm-1175, gained a one-week head start, exploiting the flaw as a zero-day before a patch was available. Immediate patching and network isolation of the Admin Console are critical to prevent compromise.

Threat: Active exploitation of CVE-2025-10035 by the Medusa ransomware group (Storm-1175).
Vulnerability: Critical (10.0) unauthenticated remote code execution via a deserialization flaw in the License Servlet.
Affected Products: GoAnywhere MFT versions prior to 7.8.4 and 7.6.3.
Key Action: Patch immediately to versions 7.8.4 or 7.6.3 and restrict internet access to the Admin Console.
Exposure: Over 20,000 internet-facing instances identified, including Fortune 500 companies¹.

Technical Breakdown of CVE-2025-10035

CVE-2025-10035 is a deserialization flaw in the License Servlet of GoAnywhere MFT. It allows an unauthenticated attacker with a forged license response signature to deserialize a malicious object, leading directly to remote code execution⁹. The vulnerability is triggered by sending a crafted HTTP GET request to the `/goanywhere/license/Unlicensed.xhtml` endpoint⁸. Fortra developed a patch within five days, releasing it on September 18 after the vulnerability was discovered on September 13⁸.

Technical analysis from Rapid7 reveals that CVE-2025-10035 is not a single flaw but a chain of three separate issues¹. The chain starts with a known access control bypass vulnerability, proceeds through the unsafe deserialization flaw itself, and relies on an unresolved issue regarding how attackers obtained the specific private key required to forge the license signature. The patch replaces the unsafe `SignedObject.getObject` method with a wrapper that adds safety checks around the deserialization process³. Fortra advises that stack traces containing exceptions mentioning `SignedObject.getObject` are a strong indicator of exploitation attempts⁷.

Evidence of In-the-Wild Exploitation

Cybersecurity firm watchTowr Labs reported “credible evidence” of in-the-wild exploitation dating back to September 10, 2025¹. This was a full week before Fortra’s public disclosure, giving threat actors a significant advantage. Analysis of attack logs indicates that after successful exploitation, actors created a backdoor admin account named `admin-go` and a new web user to maintain persistent, legitimate access. A payload named `zato_be.exe` was also uploaded to compromised systems⁷.

The official confirmation of active exploitation came when CISA added the vulnerability to its Known Exploited Vulnerabilities list on September 29, 2025, mandating remediation for federal agencies⁹. Fortra’s own communications evolved; while their initial advisory did not confirm exploitation, the subsequent inclusion of specific Indicators of Compromise (IOCs) and stack traces for defenders strongly implies the vendor believes the flaw is being actively attacked¹. The ransomware group Medusa, tracked by Microsoft as Storm-1175, has been leveraging this vulnerability in its campaigns.

Attack Methodology and Post-Exploitation Activity

The attack path requires access to the GoAnywhere Admin Console, which threat actors leverage by chaining the known access control bypass with the deserialization flaw. A central mystery surrounding this exploitation is how threat actors acquired the private key necessary to create a validly signed malicious object. This has led to speculation about a potential leak from a cloud-based license server, a question that remains unresolved¹. The ability to forge this signature is what makes the unauthenticated RCE possible.

Once the system is compromised, the established attack pattern involves creating persistence mechanisms. As observed by watchTowr, this includes creating new user accounts with administrative privileges, such as the `admin-go` account⁷. The deployment of a payload like `zato_be.exe` suggests the attackers are establishing a robust foothold for data exfiltration and subsequent ransomware deployment. This methodology is consistent with ransomware operations that seek to maximize their impact and financial gain by thoroughly compromising a network before deploying encryption payloads.

Mitigation and Defensive Recommendations

The primary and most effective mitigation is to immediately upgrade GoAnywhere MFT to the patched versions 7.8.4 or Sustain Release 7.6.3¹. Given that exploitation requires network access to the Admin Console, Fortra strongly recommends restricting public internet access to this interface as a fundamental step to reduce the attack surface³. This network-level control can prevent a large number of automated and opportunistic attacks, even before patching can be applied in complex environments.

Organizations should conduct immediate threat hunting using the IOCs provided by Fortra. Security teams should audit application logs for specific stack traces containing errors related to `SignedObject.getObject`, as these indicate likely exploitation attempts⁷. Furthermore, deploying SIEM and EDR rules to detect unusual license validation activity, command injection patterns, and suspicious processes spawned from the MFT application is advised⁴. User account audits should be performed to identify any newly created administrative accounts, particularly `admin-go`.

Broader Implications and Historical Context

The recurrence of a critical vulnerability in GoAnywhere MFT that is “virtually identical” to the previously exploited CVE-2023-0669 highlights systemic challenges in securing enterprise file transfer solutions⁸. These systems are high-value targets because they are designed to move sensitive data, including financial records, personally identifiable information (PII), and legal documents. The presence of over 20,000 internet-facing instances illustrates the widespread potential impact of this vulnerability¹.

The discrepancy between third-party evidence of exploitation and the vendor’s initial communication has raised concerns about transparency in vulnerability disclosure⁶. When defenders are not fully aware of the active threat landscape, their ability to assess risk and prioritize remediation is hampered. Bitsight’s Cyber Threat Intelligence team has observed active discussions of CVE-2025-10035 on cybercriminal forums, indicating growing interest that often precedes broader exploitation campaigns⁴.

The active exploitation of CVE-2025-10035 by the Medusa ransomware group underscores the persistent threat to internet-facing enterprise applications. The combination of a critical severity rating, evidence of pre-disclosure exploitation, and the high-value data processed by GoAnywhere MFT makes this a significant incident. Patching remains the most critical defense, but it must be coupled with network segmentation and vigilant log monitoring. The recurrence of such flaws in the same product line necessitates a long-term strategy that may include reassessing the use of these technologies in sensitive environments. The security community will be watching closely to see if this vulnerability leads to a wave of breaches similar to the one caused by its predecessor in 2023.