Hackers Exploit Critical GoAnywhere File Transfer Flaw To Deploy Medusa Ransomware

Image by Nahel Hadi, from Unsplash

Hackers Exploit Critical GoAnywhere File Transfer Flaw To Deploy Medusa Ransomware

Reading time: 2 min

Last Updated: Oct 7, 2025

Hackers are exploiting a severe GoAnywhere Managed File Transfer flaw to execute remote code, steal data, and deploy Medusa ransomware.

In a rush? Here are the quick facts:

  • Hackers can remotely execute code using forged license response signatures.
  • Cybercrime group Storm-1175 exploited the flaw to deploy Medusa ransomware.
  • Exploitation doesn’t require authentication on Internet-exposed systems.

Microsoft has released a warning about attackers actively using CVE-2025-10035 to exploit a severe vulnerability in GoAnywhere Managed File Transfer (MFT), which researchers say holds a maximum severity rating of 10.0.

The flaw allows hackers to take control of servers, and execute remote code, by sending forged license responses to the platform’s License Servlet.

According to Microsoft Threat Intelligence, a cybercriminal group called Storm-1175, known for using Medusa ransomware, has been exploiting the flaw in real-world attacks since September 11, 2025.

“The vulnerability could allow a threat actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection and potential remote code execution (RCE),” according to Microsoft.

The bug affects GoAnywhere MFT Admin Console versions up to 7.8.3, and exploitation doesn’t require authentication, making Internet-exposed systems particularly vulnerable.

Attackers use SimpleHelp and MeshAgent remote monitoring tools to gain system access and create .jsp files in MFT directories for staying inside the system.

The attackers perform network discovery using netscan followed by lateral movement through mstsc.exe before executing Medusa ransomware attacks.

Microsoft says attackers also used Cloudflare tunnels to hide their command-and-control (C2) communications and Rclone for data theft. “Ultimately, in one compromised environment, the successful deployment of Medusa ransomware was observed,” the report stated.

The company needs users to run system updates right away following Fortra’s recommended steps because security updates do not eliminate active malware. “Review of the impacted system may be required,” Microsoft said.

Businesses should block server Internet access and enable multi-factor authentication according to security experts who want to use Microsoft Defender External Attack Surface Management for identifying exposed systems.

Microsoft Defender protects users from this vulnerability through its detection and blocking features which stop attackers from exploiting the vulnerability against customers.

Did you like this article? Rate it!
I hated it I don't really like it It was ok Pretty good! Loved it!

We're thrilled you enjoyed our work!

As a valued reader, would you mind giving us a shoutout on Trustpilot? It's quick and means the world to us. Thank you for being amazing!

Rate us on Trustpilot
0 Voted by 0 users
Title
Comment
Thanks for your feedback