Cybercriminals have been exploiting a critical deserialization vulnerability (CVE-2025-10035) in Fortra’s GoAnywhere Managed File Transfer (MFT) tool to deploy the Medusa ransomware, according to a report released by Microsoft on Monday.
Microsoft stated that this campaign is conducted by a threat group it tracks as Storm-1175. The incident marks yet another case in which file transfer infrastructure has been leveraged as an initial foothold for large-scale cyberattacks.
Overview of the Attack
According to Microsoft’s report, Storm-1175 exploited this vulnerability to gain initial access to targeted networks. Once inside, the attackers deployed remote administration tools such as SimpleHelp and MeshAgent to perform privilege escalation and lateral movement.
The impact is severe — after exploiting the flaw, the attackers conducted reconnaissance of systems and user environments, maintaining persistent access while preparing to deploy ransomware payloads.
Technical Details of the Vulnerability
CVE-2025-10035 resides in GoAnywhere MFT’s License Servlet and stems from unsafe deserialization.
Attackers can forge a “valid license response signature” and cause the servlet to deserialize attacker-controlled objects, leading to command injection.
Fortra confirmed this flaw in a security advisory and released patches in version 7.8.4 (and sustained release 7.6.3).
Security researchers note that this vulnerability is part of a multi-stage attack chain, combining multiple flaws rather than functioning in isolation.
Rapid7 reported that the chain involves an access control bypass dating back to 2023, the new deserialization flaw, and additional factors related to the unverified license key structure.
Successful exploitation requires that the GoAnywhere administrative console or license endpoint be publicly accessible from the internet.
Notably, GoAnywhere was also compromised in 2023 through CVE-2023-0669, which was exploited by ransomware operators at that time as well — suggesting that attackers continue to view GoAnywhere as a high-value target.
From File Transfer Exploitation to Medusa Ransomware Deployment
After breaching GoAnywhere instances, attackers uploaded disguised web shells into the MFT environment to establish an initial foothold.
Microsoft observed that lateral movement began with the deployment of remote monitoring tools, followed by reconnaissance activities and ultimately, the deployment of the Medusa ransomware payload.
In this attack chain, the vulnerability itself did not directly perform file encryption. Instead, it served as a gateway into the internal network.
Once inside, the attackers selected specific victim systems on which Medusa was finally deployed and executed for encryption.
Storm-1175 remains active in the ransomware ecosystem, with a known tendency to target externally facing applications to obtain initial access.
The exploitation of GoAnywhere demonstrates the group’s adaptability in repurposing known tools through new attack vectors.
The Medusa ransomware, which has targeted over 300 critical infrastructure organizations, is known for its double extortion tactics and for operating a leak site to pressure victims.
According to cyber threat intelligence firm Cyble, activity associated with this group increased by 45% year-over-year in 2025.
Detection and Defense Recommendations
Microsoft’s advisory includes detection guidance for both network and host-based indicators of compromise.
Incident responders are advised to look for the following signs:
・Unusual HTTP POST traffic to administrative endpoints
・Newly created JSP/WAR files in webapp directories
・Suspicious scheduled tasks
・Abnormal Java process invocations
Microsoft has published a list of Indicators of Compromise (IOCs) and recommends hunting based on the observed filenames and hashes of specific web shells.
The company also advises collecting telemetry related to process command-line arguments and file write events associated with MFT server user accounts.