Medusa Ransomware Actors Exploit Critical Fortra GoAnywhere Flaw
Summary
Threat actors deploying Medusa ransomware (linked to Storm-1175) have been observed exploiting a maximum-severity deserialization vulnerability in Fortra’s GoAnywhere managed file transfer (MFT) product, tracked as CVE-2025-10035. Microsoft Threat Intelligence reported in early October that exploitation was seen in multiple organisations and that Medusa was successfully deployed in at least one case. Fortra disclosed the flaw on 18 September and issued a patch, but details about how attackers satisfied a private-key signing requirement remain unclear.
Researchers at Rapid7 and Watchtowr Labs flagged the puzzling requirement for a validly forged licence-response signature (serverkey1) and the apparent absence of signature-verification fixes in the patch. Hypotheses include an accidental exposure of Fortra’s private key, theft of that key, or compromise of a Fortra-hosted component such as a remote licence server. CISA added the flaw to its Known Exploited Vulnerabilities (KEV) list, and Microsoft published IoCs and recommended defences.
Key Points
- CVE-2025-10035 is a deserialization vulnerability in Fortra GoAnywhere MFT; Fortra released a patch on 18 September 2025.
- Microsoft observed exploitation activity as early as 11 September 2025 and linked attacks to Storm-1175, a financially motivated group that deploys Medusa ransomware.
- Researchers are baffled by how attackers satisfied a private-key signature requirement; possibilities include key exposure, theft, or compromise of a Fortra licence server.
- CISA added the vulnerability to its KEV catalogue; Microsoft published IoCs and urged perimeter and firewall checks to reduce attack surface.
- Organisations using GoAnywhere with admin consoles exposed to the public internet are at highest risk; patching and hunting with IoCs are the immediate recommended actions.
Context and Relevance
GoAnywhere and other MFT products have been recurring targets for ransomware groups (notably the 2023 Clop campaign). This incident is significant because it appears to have been exploited as a zero-day and involves an unexplained way to bypass signature protections, which could indicate a deeper supply-chain or vendor infrastructure compromise. The case underscores ongoing risks to organisations relying on MFT solutions for sensitive file transfers and downstream exposure for customers and individuals.
Why should I read this?
Quick and blunt: if you run or secure GoAnywhere (or any MFT) — stop scrolling and check your versions now. This is one of those bugs that goes straight from disclosure to ransom notes, and the mystery around the private key means it could be worse than a straightforward patch-and-move-on. We’ve read the messy details so you don’t have to; patch, hunt using the IoCs, and lock down any admin consoles exposed to the internet.