Microsoft blames Medusa ransomware affiliates for GoAnywhere exploits while Fortra keeps head buried

Medusa ransomware affiliates are among those exploiting a maximum-severity bug in Fortra's GoAnywhere managed file transfer (MFT) product, according to Microsoft Threat Intelligence.

Fortra disclosed the 10.0-rated deserialization vulnerability tracked as CVE-2025-10035 on September 18. At the time, the vendor warned the flaw could trick the License Servlet - that's the GoAnywhere MFT license-checking component - into deserializing attacker-controlled Java objects by forging a license response that passes signature verification. This can lead to command injection and potential remote code execution.

Plus, after exploiting the vulnerability, miscreants can snoop around the compromised system, drop backdoors to ensure long-term access, and deploy malware droppers and other tools for lateral movement.

Now, Microsoft's threat trackers are warning that it's been exploited. "A cybercriminal group tracked by Microsoft Threat Intelligence as Storm-1175, known for deploying Medusa ransomware and exploiting public-facing applications for initial access, was observed exploiting the vulnerability," Redmond ...