Microsoft Warns of GoAnywhere MFT Exploit Fueling Medusa Ransomware Attacks
The Medusa group exploits a critical GoAnywhere MFT flaw to launch ransomware and data theft attacks.
Key Takeaways:
- Medusa ransomware group exploits a new GoAnywhere MFT vulnerability for large-scale attacks.
- Microsoft links the flaw to remote code execution and data theft activities.
- Urgent security patches and layered defenses recommended to prevent exploitation.
Cybercriminals are exploiting a critical flaw in GoAnywhere Managed File Transfer (MFT) software to carry out sophisticated ransomware attacks. Microsoft’s Threat Intelligence team warns that the Medusa group is weaponizing this vulnerability to deploy ransomware, steal sensitive data, and infiltrate enterprise networks.
Fortra first disclosed the deserialization vulnerability (tracked as CVE-2025-10035) in GoAnywhere MFT’s License Servlet on September 18. The License Servlet is a component responsible for verifying software licenses, which ensures that only authorized users can access and operate the system.
This flaw could allow attackers to inject commands and potentially achieve remote code execution (RCE) by forging a license response signature. Once attackers successfully exploit the vulnerability, they can explore the compromised system to gather information, install backdoors to ensure persistence, and use malware droppers to spread across the enterprise network and infect more devices.
Microsoft has confirmed that the Storm-1175 hacking group (linked to Medusa ransomware) exploited this deserialization vulnerability to target multiple organizations on September 11, 2025. The attackers then abused GoAnywhere MFT processes to deploy remote monitoring tools (called SimpleHelp and MeshAgent) to maintain persistence.
Additionally, this ransomware group dropped the RMM binaries under the GoAnywhere MFT process and created .jsp files and backdoor accounts. They then moved laterally across the network using tools such as Netscan and mstsc.exe and established command-and-control infrastructure through RMM tools and Cloudflare tunnels. For data theft, the cybercriminals used Rclone to exfiltrate files and deployed Medusa ransomware to encrypt systems.
Microsoft’s recommendations to mitigate GoAnywhere exploits
Microsoft recommends a multi-layered defense strategy to protect organizations from attacks exploiting the CVE-2025-10035 flaw in GoAnywhere MFT. Administrators must immediately update to the latest version of GoAnywhere MFT to patch this vulnerability. They should also restrict Internet exposure by ensuring the Admin Console is not publicly accessible.
Furthermore, Microsoft advises using Defender for Endpoint in block mode to detect and prevent malicious activity, and leveraging Defender External Attack Surface Management (EASM) to identify vulnerable systems. Additional protections include enabling attack surface reduction rules, automated investigation and remediation, and cloud-based machine learning defenses to detect security threats.
Rabia has a master's degree in Software Engineering and she has years of experience writing professionally about Microsoft products and other technologies. Rabia has also written for OnMSFT.com as well as Windows Report. She is always up to date on t...
