Encryption & Key Management,
Fraud Management & Cybercrime,
Governance & Risk Management
Medusa Ransomware Group Linked to Exploitation of Recently Patched Zero-Day Vulnerability
Recent cyberattacks have targeted Fortra’s GoAnywhere managed file transfer software, primarily affecting on-premises setups where the management console was improperly exposed to the Internet—a configuration that Fortra advises against.
In a detailed report published Thursday, Fortra disclosed that a “limited” number of its clients have been impacted by attackers exploiting a zero-day deserialization vulnerability now known as CVE-2025-10035 within the GoAnywhere MFT’s License Servlet. Fortra added that other components of its architecture remain unaffected.
The report clarifies that the vulnerability poses a risk primarily to customers with exposed admin consoles, emphasizing ongoing monitoring efforts. On September 18, Fortra had initially alerted users to the exploitation of CVE-2025-10035, which has received a maximum CVSS score of 10, indicating a critical severity level. This flaw could allow unauthorized actors to execute arbitrary code by exploiting a forged license response, leading to potential command injection.
Microsoft reported that a cybercrime group, identified as Storm-1175, has capitalized on this vulnerability, potentially retaining access to compromised environments even after patches are applied. This group had previously targeted internet-connected applications to infiltrate networks for deploying Medusa ransomware, increasing the severity of the situation.
According to Microsoft, the implications of CVE-2025-10035 are exacerbated by the possibility of attackers gaining long-term access, conducting system reconnaissance, and deploying further malicious tools. Fortra commenced its investigation after a customer reported suspicious activity on September 11, with the company scrutinizing logs and assessing customer configurations as part of its response.
After identifying several at-risk instances, Fortra promptly isolated these environments and reached out to affected customers to discuss risk mitigation strategies. Although Fortra has committed to transparency throughout the incident, questions remain regarding how attackers successfully managed to forge valid GoAnywhere MFT licenses.
Benjamin Harris, CEO of the threat intelligence firm watchTowr, speculated that a potential leak of Fortra’s private key might have occurred, allowing attackers to sign malicious objects that could be accepted by any GoAnywhere instance. Regardless of the underlying technique, the mystery surrounding the exploitation of this vulnerability continues to raise concerns among cybersecurity experts.
