Particle.news
Download on the App Store
6 ARTICLES
·
4h ago

Microsoft Confirms Medusa Affiliate Exploiting Critical GoAnywhere Flaw

CVE-2025-10035 allows forged license responses to trigger unsafe deserialization leading to potential remote code execution on internet‑exposed GoAnywhere servers.

Image
Image
Image
Fotra GoAnywhere zero-day

Overview

  • Microsoft attributes attacks since at least September 11 to Storm-1175, a Medusa ransomware affiliate, confirming pre-disclosure exploitation of the GoAnywhere MFT bug.
  • The intrusion playbook includes deploying SimpleHelp and MeshAgent, creating .jsp files, running netscan, moving laterally via mstsc.exe, using a Cloudflare tunnel for C2, and exfiltrating data with Rclone.
  • Fortra patched the vulnerability on September 18 in GoAnywhere MFT 7.8.4 and Sustain 7.6.3 after watchTowr flagged credible zero‑day use dating to around September 10.
  • The flaw, tracked as CVE-2025-10035 (CVSS 10.0), abuses the License Servlet’s deserialization by accepting a forged license response signature, enabling command injection and possible RCE without authentication.
  • Shadowserver counts 513 GoAnywhere instances exposed online as researchers urge upgrading, removing the Admin Console from public internet access, and checking logs for SignedObject.getObject, while calls grow for Fortra to clarify how license-signing keys were abused.