Medusa Ransomware Affiliates Tied to Fortra GoAnywhere Hacks

Security Experts Advise Immediate Patching; Zero-Day Attacks Began Last Month Mathew J. Schwartz (euroinfosec) • October 7, 2025

A ransomware group has exploited a vulnerability in widely used secure managed file transfer software for the past month.

See Also: When Identity Protection Fails: Rethinking Resilience for a Modern Threat Landscape

Threat researchers at Microsoft report observing indicators that a group of affiliates tied to the Medusa ransomware-as-a-service operation exploiting a critical vulnerability in the License Servlet of Fortra's GoAnywhere MFT to unleash crypto-locking malware.

The deserialization vulnerability, tracked as CVE-2025-10035, "allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection," Fortra said in a Sept. 18 security advisory, noting that the flaw was discovered on Sept. 11.

The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2025-10035 to its known-exploited vulnerabilities catalog on Sept ...