GoAnywhere 0-Day RCE Exploited in the Wild to Deploy Medusa Ransomware

A critical zero-day vulnerability in GoAnywhere Managed File Transfer’s (MFT) License Servlet is being actively exploited by threat actors to deploy Medusa ransomware.

Fortra disclosed CVE-2025-10035, a deserialization flaw in GoAnywhere MFT versions up to 7.8.3 with a perfect Common Vulnerability Scoring System (CVSS) score of 10.0.

Security researchers observed that the Storm-1175 group weaponized this flaw to achieve remote code execution (RCE) on internet-facing deployments, leading to widespread network compromise and ransomware deployment.

Vulnerability Analysis

CVE-2025-10035 resides in the License Servlet of GoAnywhere MFT. The flaw allows an attacker to craft a malicious license response signature, bypassing signature verification.

By sending a forged response, the Servlet deserializes arbitrary, attacker-controlled objects, enabling command injection and full RCE.

Because the exploit requires no authentication once a valid or intercepted response is in hand, any public GoAnywhere MFT instance is at immediate risk.

Successful exploitation grants the attacker the ability to execute system discovery commands, escalate privileges, and install additional tools to facilitate lateral movement.

Microsoft Threat Intelligence first identified active exploitation on September 11, 2025.

Storm-1175’s campaign follows a precise multi-stage pattern beginning with initial access through License Servlet exploitation.

Once RCE is obtained, attackers drop remote monitoring and management tools such as SimpleHelp and MeshAgent directly into the GoAnywhere process.

Concurrently, web shells (in .jsp format) are deployed to application directories for persistence. Subsequent discovery steps involve executing commands like whoami, systeminfo, and net user to map the environment.

Lateral movement is accomplished through RDP sessions using mstsc.exe, while command and control channels are maintained via RMM tools tunneled through Cloudflare.

Data exfiltration leverages Rclone for large-scale transfers. The final stage of the operation unloads Medusa ransomware, encrypting systems and demanding payment in exchange for decryption keys.

Mitigation and Protection Guidance

Organizations are strongly urged to upgrade to the latest patched GoAnywhere MFT release immediately.

Because applying the patch does not remediate systems already compromised, a comprehensive investigation of suspected hosts is essential.

Restrict outbound internet access from GoAnywhere servers to block malicious downloads and command-and-control communications.

Deploy endpoint detection and response (EDR) solutions in block mode to intercept malicious artifacts that evade signature-based antivirus.

Enable automated investigation and remediation workflows to accelerate incident response.

Attack surface reduction rules should be configured to prevent web shell creation and trust-based executable restrictions.

External attack surface management tools can be used to discover unpatched GoAnywhere instances.

Continuous monitoring of License Servlet traffic for signature verification failures will help detect exploitation attempts early.

Finally, leveraging Microsoft Defender vulnerability management and extended detection and response (XDR) capabilities provides unified visibility into vulnerable devices, alerts on exploitation, and orchestrated response across the environment.

By combining rapid patch deployment, stringent network restrictions, and advanced endpoint security measures, organizations can significantly reduce the risk posed by CVE-2025-10035 and disrupt Storm-1175’s Medusa ransomware campaigns.

Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today