{"id":3136,"date":"2025-10-07T12:00:29","date_gmt":"2025-10-07T12:00:29","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2025\/10\/07\/microsoft-critical-goanywhere-bug-exploited-in-medusa-ransomware-campaign\/"},"modified":"2025-10-07T12:00:29","modified_gmt":"2025-10-07T12:00:29","slug":"microsoft-critical-goanywhere-bug-exploited-in-medusa-ransomware-campaign","status":"publish","type":"post","link":"https:\/\/ft365.org\/index.php\/2025\/10\/07\/microsoft-critical-goanywhere-bug-exploited-in-medusa-ransomware-campaign\/","title":{"rendered":"Microsoft: Critical GoAnywhere Bug Exploited in Medusa Ransomware Campaign"},"content":{"rendered":"
\n

\"Photo<\/p>\n<\/div>\n

\n

A vulnerability in Fortra\u2019s GoAnywhere Managed File Transfer (MFT) tool with a CVSS score of 10.0 is being actively exploited in ransomware attacks, Microsoft has warned.<\/p>\n

The tech giant published a blog post yesterday to urge customers to patch CVE-2025-10035: a critical deserialization flaw in GoAnywhere MFT\u2019s License Servlet Admin Console.<\/p>\n

\u201cIt enables an attacker to bypass signature verification by crafting a forged license response signature, which then allows the deserialization of arbitrary, attacker-controlled objects,\u201d Microsoft explained.<\/p>\n

\u201cSuccessful exploitation could result in command injection and potential RCE [remote code execution] on the affected system. Public reports indicate that exploitation does not require authentication if the attacker can craft or intercept valid license responses, making this vulnerability particularly dangerous for internet-exposed instances.\u201d<\/p>\n

Following exploitation, threat actors can perform system and user discovery, maintain long-term access\u00a0and deploy other\u00a0tools for lateral movement and malware, it added.<\/p>\n

Read more on GoAnywhere: Exploit Code Released for Critical Fortra GoAnywhere Bug<\/em><\/p>\n

Although patched by developer Fortra on September 18, the vulnerability was originally exploited as a zero day a week earlier (September 11) by threat group Storm-1175.<\/p>\n

Following initial access, the group launched binaries from legitimate remote monitoring and management (RMM) tools SimpleHelp and MeshAgent, used tools like netscan for network discovery\u00a0and moved laterally using the Microsoft Remote Desktop Connection client\u00a0(\u201cmstsc.exe\u201d).<\/p>\n

\u201cFor command-and-control (C2), the threat actor utilized RMM tools to establish their infrastructure and even set up a Cloudflare tunnel for secure C2 communication,\u201d the report continued.<\/p>\n

\u201cDuring the exfiltration stage, the deployment and execution of Rclone was observed in at least one victim environment. Ultimately, in one compromised environment, the successful deployment of Medusa ransomware was observed.\u201d<\/p>\n

According to the Shadowserver Foundation, there are 513 GoAnywhere instances currently exposed, most of which (363) are located in North America.<\/p>\n

Medusa Strikes Again<\/h2>\n

First identified in 2021, Medusa has snared over 300 global victims in critical infrastructure sectors,\u00a0according to a joint advisory from March published by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC).<\/p>\n

It claimed over 40 victims in the first two months of 2025 alone, including a confirmed attack on a US healthcare organization.<\/p>\n

The affiliates using the ransomware-as-a-service variant usually achieve initial access either through phishing campaigns or by exploiting unpatched software vulnerabilities. In previous campaigns, they\u2019ve used a ScreenConnect authentication bypass (CVE-2024-1709) and Fortinet EMS SQL injection flaw (CVE-2023-48788).<\/p>\n

Microsoft urged\u00a0GoAnywhere customers to:<\/p>\n