Microsoft pins latest GoAnywhere MFT exploitation campaign on Medusa ransomware group

Microsoft has identified a cybercriminal group tracked as Storm-1175 as responsible for actively exploiting a critical deserialization vulnerability (CVE-2025-10035) in Fortra’s GoAnywhere Managed File Transfer (MFT) software. This vulnerability affects the License Servlet component and allows unauthenticated remote code execution (RCE) by processing attacker-controlled serialized data.
The attackers leveraged this zero-day flaw to gain initial access to targeted networks by crafting forged license responses that bypass signature checks, triggering unsafe deserialization and RCE within the GoAnywhere process. Once inside, they deployed remote monitoring and management tools such as SimpleHelp and MeshAgent to maintain persistence and control. They also created .jsp web shells within GoAnywhere directories, enabling remote command execution.
After establishing footholds, the group conducted extensive network discovery and lateral movement using native Windows tools. They staged sensitive data before exfiltrating it to attacker-controlled cloud storage environments via the Rclone utility. The attack campaign culminated in deploying Medusa ransomware, encrypting data, and delivering extortion demands.
Medusa is a known ransomware-as-a-service (RaaS) operation linked to sophisticated, stealthy tactics, including credential harvesting, living-off-the-land techniques, and legitimate remote tool abuse to evade detection. Microsoft and security agencies strongly urge affected organizations to patch vulnerable GoAnywhere MFT versions (upgrading to 7.8.4 or later), isolate exposed admin consoles, and monitor for signatures of exploitation such as the “SignedObject.getObject” stack trace in logs. This campaign highlights the critical need for vigilant patch management and proactive threat hunting to prevent high-impact ransomware intrusions via third-party software vulnerabilities.