GoAnywhere Zero-Day Exploited to Deliver Medusa Ransomware

A zero-day flaw in GoAnywhere Managed File Transfer (MFT) software is already being exploited in the wild to deploy Medusa ransomware, prompting urgent warnings from Microsoft and Fortra. 

The deserialization vulnerability affects GoAnywhere MFT versions up to 7.8.3. Attackers can execute arbitrary commands remotely and seize full control of vulnerable systems without authentication once a forged license response is crafted.

According to Microsoft researchers, “… exploitation does not require authentication if the attacker can craft or intercept valid license responses.”

A threat to business continuity

Storm-1175, the group behind the attacks, has used the flaw to gain initial access, execute commands, and deploy ransomware across enterprise environments. 

The ease of exploitation for this vulnerability, combined with its reach across internet-exposed instances, makes it a serious risk to data confidentiality and business continuity.

Exploited and encrypted

The vulnerability (CVE-2025-10035) resides in GoAnywhere MFT’s License Servlet Admin Console, where attackers can bypass digital signature checks on license responses. 

By crafting or intercepting a signed payload, they can deserialize malicious objects, inject commands, and achieve remote code execution (RCE). Once inside, adversaries deploy remote monitoring and management (RMM) tools such as MeshAgent and SimpleHelp, enabling stealthy persistence.

From there, the attackers perform user and domain discovery, establish command-and-control (C2) channels via Cloudflare, and use rclone for data exfiltration. The final payload, Medusa ransomware, encrypts systems and demands payment, with infections now confirmed by Microsoft across multiple organizations.

Defending against the GoAnywhere exploit

With active exploitation in the wild, these defensive measures can help contain threats and prevent successful Medusa ransomware deployment.

• Patch immediately to the latest GoAnywhere MFT version.
• Restrict outbound connections from GoAnywhere servers to only approved endpoints.
• Enable EDR solutions in block mode to stop malicious artifacts even under passive antivirus conditions.
• Apply attack surface reduction (ASR) rules, such as blocking unsigned executables and preventing web shell creation.
• Monitor for indicators of compromise (IOCs) like unauthorized .jsp files, suspicious PowerShell activity, or unexpected Cloudflare tunneling.
• Leverage automated investigations in Microsoft Defender or equivalent tools to reduce response time and alert fatigue.

Together, these actions create a layered defense that closes the GoAnywhere exploit path, limits the movement of attackers, and strengthens resilience against future ransomware campaigns.

When trusted tools become attack vectors

The Medusa deployment via GoAnywhere mirrors a pattern seen in other attacks — exploiting trusted IT software as the entry point.

The attack also highlights the increasing speed at which threat groups weaponize newly disclosed vulnerabilities. With threat actors leveraging AI in their attacks, the gap from vulnerability to exploitation is shrinking to days or even hours, leaving minimal time for patching.

This reinforces the necessity of continuous vulnerability management, active monitoring of perimeter systems, and automation in patch deployment.

As ransomware operations become more agile, the distinction between IT management software and the attack surface continues to blur. The lesson is clear: every unpatched instance is an open door, and attackers like Storm-1175 are already knocking.

To stay ahead of evolving ransomware like Medusa, organizations need more than patches — they need the right protection tools to detect, contain, and recover fast.