Close Menu
Subscribe
Featured

Microsoft Acknowledges GoAnywhere Vulnerability Exploited by Medusa Ransomware

TechyeuBy No Comments3 Mins Read
“Microsoft Acknowledges GoAnywhere Vulnerability Exploited by Medusa Ransomware”

Microsoft Confirms GoAnywhere Zero-Day Exploited by Medusa Ransomware

A newly discovered zero-day flaw in Fortra’s GoAnywhere Managed File Transfer (MFT) software has become the latest target for Medusa ransomware attackers, Microsoft confirmed this week.

The flaw, CVE-2025-10035, carries a maximum 10.0 CVSS score and stems from a deserialization weakness in GoAnywhere MFT’s License Servlet Admin Console versions up to 7.8.3. It allows attackers to remotely execute arbitrary code on unpatched servers — even without authentication in some cases — making it a prime target for ransomware operators.

According to Microsoft Threat Intelligence, a cybercrime group known as Storm-1175, a Medusa ransomware affiliate, began exploiting the flaw as early as September 11, 2025, nearly a week before vendor Fortra issued its patch on September 18, 2025.

Security researchers at WatchTowr Labs later confirmed that the flaw had been used as a zero-day, compromising several organizations before the patch was released.

“Microsoft Defender researchers identified exploitation activity in multiple organizations aligned to tactics, techniques, and procedures (TTPs) attributed to Storm-1175,” Microsoft said in its advisory while confirming WatchTowr Labs’ report.

Inside The Attack Chain (From Exploit To Encryption)

  • Initial Access: Storm-1175 exploited the GoAnywhere deserialization flaw to break into corporate systems.
  • Persistence: Installed RMM tools like SimpleHelp and MeshAgent, often disguised within GoAnywhere directories.
  • Post-Exploitation: Deployed .jsp files, ran network scans, and performed user/system reconnaissance.
  • Network Discovery: Scanned networks using Netscan and conducted user reconnaissance.
  • Lateral Movement: Used Microsoft Remote Desktop to move across systems.
  • Command & Control (C2): Set up a Cloudflare tunnel for secure communication.
  • Exfiltration: Stole data via Rclone before deploying Medusa ransomware.

Fortra Under Fire

Security experts criticized Fortra for quietly issuing a patch on September 18, 2025, without warning users of active exploitation. Benjamin Harris, CEO of WatchTowr Labs, highlighted that organizations were under silent attack since September 11, with little clarity from Fortra.

The Shadowserver Foundation reports that over 500 GoAnywhere MFT instances remain exposed online, with patch status unclear.

Read More  : 1337x Proxy List – October 2025 [ Mirror/ Proxy ] Updated

What Users Should Do

Microsoft and Fortra urge all customers to upgrade immediately and check for compromise, especially logs containing SignedObject.getObject.

  • Restrict external access to GoAnywhere Admin Consoles.
  • Run endpoint detection and response (EDR) tools in block mode.
  • Enable attack surface reduction rules.

Fortra notes that patching fixes the flaw but does not reverse previous breaches; forensic review is recommended.

Read More  : Microsoft Could Introduce a Free, Ad-Supported Tier for Xbox Cloud Gaming

Bottom Line

Organizations using GoAnywhere MFT should patch immediately, lock down internet access, and review systems for compromise. Medusa ransomware attacks highlight how trusted enterprise tools can become gateways for large-scale cyberattacks if not properly secured.

Share.

Anything and everything because titles should not define us. A non-fiction lover. Aspiring to be better than yesterday.

Related Posts

Add A Comment
Leave A Reply