Critical Vulnerability in GoAnywhere Exploited in Ransomware Attacks

Top Highlights

1. A group called Storm-1175 has been exploiting a critical vulnerability (CVE-2025-10035) in Fortra’s GoAnywhere MFT software since September 10, enabling Medusa ransomware attacks across organizations.
2. The vulnerability involves deserialization of untrusted data, allowing remote and low-complexity exploitation without user interaction, leading to unauthorized access and ransomware deployment.
3. Microsoft confirmed that Storm-1175 used this flaw to gain initial access, then utilized RMM tools for persistence, network reconnaissance, lateral movement, data exfiltration with Rclone, and file encryption with Medusa ransomware.
4. Authorities like CISA, FBI, and MS-ISAC have warned over 300 U.S. critical infrastructure entities about Medusa-related assaults, prompting advisories to update software and scrutinize logs for signs of compromise.

Underlying Problem

For nearly a month, a cybercrime group known as Storm-1175 has been exploiting a critical security flaw in Fortra’s GoAnywhere MFT software, specifically CVE-2025-10035, to carry out Medusa ransomware attacks. The vulnerability, which involves insecure deserialization in the License Servlet, allows hackers to remotely target and compromise exposed systems without user interaction. Despite Fortra releasing a patch on September 18, evidence emerged within a week that malicious actors had already begun exploiting this zero-day vulnerability from September 10. Microsoft confirmed that Storm-1175 has been actively using this exploit since at least September 11, infiltrating organizations by exploiting the flaw for initial access, maintaining persistence through Remote Monitoring and Management (RMM) tools like SimpleHelp and MeshAgent, and then deploying ransomware and exfiltrating sensitive files. This widespread activity has impacted numerous critical infrastructure organizations across the U.S., prompting security agencies, including CISA, FBI, and Microsoft, to advise organizations to update their systems and scrutinize logs for signs of compromise. The attackers’ methodical exploitation underscores the importance of cybersecurity vigilance, especially when vulnerabilities are exploited in real-time for devastating ransomware campaigns.

Security Implications

The cybercrime group Storm-1175 has been actively exploiting a critical vulnerability (CVE-2025-10035) in Fortra’s GoAnywhere MFT tool, a flaw caused by insecure deserialization that allows remote, low-complexity attacks without user interaction. Exploiting this weakness since September 11, 2025, they gained initial access, manipulated remote management tools, performed network reconnaissance, and deployed ransomware payloads, notably Medusa, to encrypt files across multiple organizations—impacting over 300 critical infrastructure entities in the U.S. alone. Despite a patch issued on September 18, the extent of unpatched systems remains unclear, underscoring the ongoing threat and the importance of timely updates. The attack highlights the risks of unpatched security flaws being exploited in widespread ransomware campaigns, with attackers leveraging the vulnerability for persistent access, lateral movement, and data exfiltration, ultimately causing significant operational disruptions, data loss, and financial damage to targeted organizations.

Possible Action Plan

Timely remediation of the critical GoAnywhere bug exploited in ransomware attacks is essential to prevent extensive data breaches, financial loss, and damage to organizational reputation. Swift action minimizes exposure to malicious activities and ensures operational integrity.

Mitigation Steps

• Immediate Patch Deployment
  Apply the latest security updates and patches provided by the vendor to address the vulnerability directly.

• Disabling Unnecessary Services
  Temporarily shut down insecure or unused services related to GoAnywhere to limit attack vectors.

• Account Security Enhancement
  Change passwords, disable compromised user accounts, and implement multi-factor authentication to strengthen access controls.

• Network Segmentation
  Isolate critical infrastructure segments to contain potential breaches and prevent lateral movement.

• Vulnerability Scanning
  Conduct comprehensive scans to identify and assess any remaining exploitable weaknesses.

• Incident Response Activation
  Activate the organization’s incident response plan to coordinate swift containment, investigation, and recovery efforts.

• User Awareness & Training
  Educate staff about the phishing tactics and attack signs to prevent social engineering exploits.

Remediation Steps

• System Restoration
  Rebuild affected systems from clean backups, ensuring they are free from malware or backdoors introduced during exploitation.

• Log Analysis & Forensics
  Analyze logs to understand breach scope, identify compromised systems, and gather evidence for legal or compliance purposes.

• Enhanced Monitoring
  Implement continuous monitoring solutions to detect any suspicious activity promptly.

• Policy Review & Update
  Review and update security policies to close gaps that allowed the vulnerability to be exploited.

• Vendor Collaboration
  Work closely with GoAnywhere support and cybersecurity experts to implement recommended security measures and ensure compliance.

Advance Your Cyber Knowledge

Discover cutting-edge developments in Emerging Tech and industry Insights.

Access world-class cyber research and guidance from IEEE.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1