A critical CVE-2025-10035 (CVSS 10.0) vulnerability in Fortra’s GoAnywhere Managed File Transfer (MFT) tool was actively exploited as a zero-day by threat group Storm-1175 before its patch on September 18, 2025. The flaw, a deserialization vulnerability in the License Servlet Admin Console, allowed attackers to bypass signature verification, execute arbitrary commands, and achieve remote code execution (RCE) without authentication. Post-exploitation, attackers conducted system discovery, lateral movement via RMM tools (SimpleHelp, MeshAgent), and deployed Medusa ransomware in at least one victim environment. Data exfiltration was facilitated using Rclone, while Cloudflare tunnels secured C2 communications. With 513 exposed GoAnywhere instances globally (majority in North America), the attack posed severe risks, including long-term system compromise, ransomware deployment, and potential data theft. Medusa, linked to over 300 global victims (including a US healthcare organization in 2025), leverages phishing and unpatched vulnerabilities for initial access, escalating threats to critical infrastructure.
Source: https://www.infosecurity-magazine.com/news/microsoft-critical-goanywhere/
TPRM report: https://www.rankiteo.com/company/fortra
"id": "for0532805100725",
"linkid": "fortra",
"type": "Ransomware",
"date": "9/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': '300+ global victims (Medusa '
'ransomware), including 40+ in '
'early 2025',
'industry': ['Technology',
'Critical infrastructure (e.g., '
'healthcare)',
'Multiple sectors using GoAnywhere MFT'],
'location': 'Global (513 exposed instances; 363 in '
'North America)',
'name': 'Fortra (GoAnywhere MFT users)',
'type': ['Software vendor', 'Enterprise customers']}],
'attack_vector': ['Network-based exploitation via License Servlet Admin '
'Console',
'Deserialization of attacker-controlled objects',
'Forged license response signature bypass'],
'customer_advisories': ['Fortra (patch notification, 2025-09-18)'],
'data_breach': {'data_encryption': ['Medusa ransomware encryption'],
'data_exfiltration': ['Observed via Rclone in at least one '
'victim environment']},
'date_detected': '2025-09-11',
'date_publicly_disclosed': '2025-09-19',
'date_resolved': '2025-09-18',
'description': 'A critical deserialization vulnerability (CVE-2025-10035, '
'CVSS 10.0) in Fortra’s GoAnywhere Managed File Transfer (MFT) '
'tool is being actively exploited by threat group Storm-1175 '
'to deploy Medusa ransomware. The flaw allows attackers to '
'bypass signature verification via forged license responses, '
'enabling arbitrary object deserialization, command injection, '
'and potential remote code execution (RCE). Exploitation does '
'not require authentication if attackers can craft or '
'intercept valid license responses. Post-exploitation '
'activities include system/user discovery, lateral movement '
'using RMM tools (SimpleHelp, MeshAgent), and data '
'exfiltration via Rclone. A Cloudflare tunnel was used for '
'secure C2 communication. The Medusa ransomware-as-a-service '
'variant has targeted over 300 global victims, including '
'critical infrastructure sectors, with 40+ victims in early '
'2025 alone.',
'impact': {'brand_reputation_impact': ['Potential reputational damage for '
'Fortra',
'Trust erosion in GoAnywhere MFT '
'users'],
'data_compromised': True,
'operational_impact': ['System discovery',
'Lateral movement',
'Ransomware deployment (Medusa)',
'Data exfiltration via Rclone'],
'systems_affected': '513 exposed GoAnywhere MFT instances (363 in '
'North America)'},
'initial_access_broker': {'backdoors_established': ['RMM tools (SimpleHelp, '
'MeshAgent)',
'Cloudflare tunnel for '
'C2'],
'entry_point': 'GoAnywhere MFT License Servlet '
'Admin Console (CVE-2025-10035)',
'high_value_targets': ['Critical infrastructure '
'sectors (e.g., healthcare)',
'Organizations with '
'internet-exposed GoAnywhere '
'instances']},
'investigation_status': 'Ongoing (active exploitation observed; patch '
'available)',
'lessons_learned': ['Critical vulnerabilities in file transfer tools are '
'high-value targets for ransomware groups.',
'Internet-exposed admin consoles significantly increase '
'exploitation risk.',
'RMM tools (e.g., SimpleHelp, MeshAgent) are frequently '
'abused for lateral movement.',
'Proactive patching and exposure reduction are essential '
'to mitigate zero-day risks.'],
'motivation': ['Financial gain (ransomware)',
'Data exfiltration',
'Long-term access for lateral movement'],
'post_incident_analysis': {'corrective_actions': ['Patch management '
'prioritization for '
'critical vulnerabilities.',
'Restrict Admin Console '
'access to internal '
'networks only.',
'Monitor and audit RMM tool '
'usage.',
'Enhance detection for '
'deserialization attacks '
'and forged license '
'responses.'],
'root_causes': ['Unpatched critical vulnerability '
'(CVE-2025-10035) in GoAnywhere '
'MFT.',
'Internet exposure of Admin '
'Console without authentication '
'safeguards.',
'Abuse of legitimate RMM tools for '
'lateral movement and C2.']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': 'Medusa'},
'recommendations': ['Immediately patch CVE-2025-10035 and disable internet '
'exposure of GoAnywhere MFT Admin Console.',
'Monitor for unauthorized use of RMM tools (SimpleHelp, '
'MeshAgent) and Rclone.',
'Deploy network segmentation to limit lateral movement.',
'Review Cloudflare tunnels or similar services for '
'unauthorized C2 traffic.',
'Conduct threat hunting for Medusa ransomware indicators '
'(e.g., encryption patterns, ransom notes).',
'Educate employees on phishing risks, as Medusa '
'affiliates also use phishing for initial access.'],
'references': [{'date_accessed': '2025-09-19',
'source': 'Microsoft Security Blog'},
{'source': 'Shadowserver Foundation'},
{'source': 'CISA/FBI/MS-ISAC Joint Advisory (March 2025)'}],
'regulatory_compliance': {'regulatory_notifications': ['Joint advisory by '
'CISA, FBI, and '
'MS-ISAC (March '
'2025)']},
'response': {'communication_strategy': ['Microsoft blog post (2025-09-19)',
'Joint advisory by CISA/FBI/MS-ISAC '
'(March 2025)'],
'containment_measures': ['Urgent patching (released 2025-09-18)',
'Isolation of exposed instances'],
'enhanced_monitoring': ['Track Rclone/RMM tool usage',
'Monitor for Medusa ransomware '
'indicators'],
'incident_response_plan_activated': True,
'law_enforcement_notified': ['CISA',
'FBI',
'MS-ISAC (via joint advisory)'],
'remediation_measures': ['Apply CVE-2025-10035 patch',
'Disable internet exposure of Admin '
'Console',
'Monitor for RMM tool abuse '
'(SimpleHelp, MeshAgent)'],
'third_party_assistance': ['Microsoft (threat intelligence)',
'Shadowserver Foundation (exposure '
'tracking)']},
'stakeholder_advisories': ['Microsoft (2025-09-19)',
'CISA/FBI/MS-ISAC (March 2025)'],
'threat_actor': ['Storm-1175', 'Medusa ransomware affiliates'],
'title': 'Critical Zero-Day Exploitation in Fortra’s GoAnywhere MFT Leading '
'to Medusa Ransomware Attacks',
'type': ['Zero-day exploitation',
'Ransomware attack',
'Unauthenticated remote code execution'],
'vulnerability_exploited': 'CVE-2025-10035 (Critical deserialization flaw in '
'GoAnywhere MFT)'}