{"id":7476,"date":"2025-10-07T10:04:29","date_gmt":"2025-10-07T10:04:29","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/10\/07\/goanywhere-0-day-rce-vulnerability-exploited-in-the-wild-to-deploy-medusa-ransomware\/"},"modified":"2025-10-07T10:04:29","modified_gmt":"2025-10-07T10:04:29","slug":"goanywhere-0-day-rce-vulnerability-exploited-in-the-wild-to-deploy-medusa-ransomware","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/10\/07\/goanywhere-0-day-rce-vulnerability-exploited-in-the-wild-to-deploy-medusa-ransomware\/","title":{"rendered":"GoAnywhere 0-Day RCE Vulnerability Exploited in the Wild to Deploy Medusa Ransomware"},"content":{"rendered":"<p>    GoAnywhere 0-Day RCE Vulnerability Exploited in the Wild to Deploy Medusa Ransomware<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>A critical deserialization flaw in <a href=\"https:\/\/cybersecuritynews.com\/fortra-goanywhere-0-day-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener\">GoAnywhere<\/a> MFT\u2019s License Servlet, tracked as <a href=\"https:\/\/cybersecuritynews.com\/goanywhere-mft-platform-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2025-10035<\/a>, has already been weaponized by the Storm-1175 group to execute the Medusa ransomware.<\/p>\n<p>The vulnerability affects GoAnywhere MFT versions up to 7.8.3. It resides in the License Servlet Admin Console, where a threat actor can forge a license response signature and bypass validation checks.<\/p>\n<p>By deserializing an attacker-controlled object, the actor gains the ability to inject arbitrary commands into the Java process, ultimately leading to full remote code execution on internet-exposed instances.<\/p>\n<h2 class=\"wp-block-heading\" id=\"h-deserialization-flaw-cve-2025-10035\"><strong>Deserialization Flaw (CVE-2025-10035)<\/strong><\/h2>\n<p>The flaw does not require <a href=\"https:\/\/cybersecuritynews.com\/authentication\/\" target=\"_blank\" rel=\"noreferrer noopener\">authentication<\/a> once a validly signed payload is crafted or intercepted, making exploitation trivially achievable against unpatched systems.\u00a0<\/p>\n<p>Successful attacks allow system and user enumeration, long-term persistence, and deployment of additional tools to facilitate lateral movement and data exfiltration.\u00a0<\/p>\n<p>Immediate patching is paramount; administrators must upgrade to the versions specified in Fortra\u2019s advisory to remediate the issue and audit any potentially compromised environments.<\/p>\n<p>Microsoft Threat Intelligence <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/10\/06\/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">has attributed<\/a> active exploitation to Storm-1175, a ransomware group notorious for targeting public-facing applications.\u00a0<\/p>\n<p>Initial access is gained through the newly disclosed deserialization bug in GoAnywhere MFT.\u00a0<\/p>\n<p><span style=\"box-sizing: border-box; margin: 0px; padding: 0px;\">After seizing control,\u00a0<a href=\"https:\/\/cybersecuritynews.com\/microsoft-warns-of-ransomware-exploiting-cloud-environments\/\" target=\"_blank\" rel=\"noopener\">Storm-1175<\/a>\u00a0drops RMM binaries, specifically MeshAgent and SimpleHelp, into the GoAnywhere service directory.<\/span> Concurrently, malicious JSP web shells are created to facilitate stealthy remote access.<\/p>\n<p>Post-exploitation, the actors run PowerShell commands to enumerate local users, groups, domain trust relationships, and network interfaces.\u00a0<\/p>\n<p>Command and control channels are established via the <a href=\"https:\/\/cybersecuritynews.com\/top-5-remote-access-and-rmm-tools-most-abused-by-threat-actors\/\" target=\"_blank\" rel=\"noreferrer noopener\">RMM tools<\/a>, often tunneled through Cloudflare to evade detection.\u00a0<\/p>\n<p>Exfiltration is executed using rclone, with stolen data transferred to attacker-controlled cloud storage. The final stage involves encrypting victim assets with <a href=\"https:\/\/cybersecuritynews.com\/researchers-deanonymized-medusa-ransomware\/\">Medusa <\/a><a href=\"https:\/\/cybersecuritynews.com\/researchers-deanonymized-medusa-ransomware\/\" target=\"_blank\" rel=\"noreferrer noopener\">ransomware<\/a>, flagged by Microsoft Defender as Ransom Win32\/Medusa.<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<tbody>\n<tr>\n<td><strong>Risk Factors<\/strong><\/td>\n<td><strong>Details<\/strong><\/td>\n<\/tr>\n<tr>\n<td>Affected Products<\/td>\n<td>GoAnywhere MFT License Servlet Admin Console lesser than 7.8.3<\/td>\n<\/tr>\n<tr>\n<td>Impact<\/td>\n<td>Command injection leading to RCE<\/td>\n<\/tr>\n<tr>\n<td>Exploit Prerequisites<\/td>\n<td>Validly forged or intercepted license response signature<\/td>\n<\/tr>\n<tr>\n<td>CVSS 3.1 Score<\/td>\n<td>10.0 (Critical)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<h2 class=\"wp-block-heading\" id=\"h-mitigations\"><strong>Mitigations<\/strong><\/h2>\n<p>Upgrade immediately to the patched GoAnywhere MFT release as per Fortra instructions.<\/p>\n<p>Configure perimeter firewalls and proxies to block outbound connections from GoAnywhere servers unless explicitly approved.<\/p>\n<p>Enable EDR in Block Mode to allow <a href=\"https:\/\/cybersecuritynews.com\/microsoft-defender-endpoint-bug\/\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Defender for Endpoint<\/a> to block malicious artifacts even under passive AV conditions.<\/p>\n<p>Deploy Attack Surface Reduction Rules to prevent common ransomware TTPs, such as blocking executable files that do not meet age or prevalence criteria and disabling web shell creation.<\/p>\n<p>Monitor with External Attack Surface Management tools to identify unmanaged or unpatched GoAnywhere instances.<\/p>\n<p>Leverage Automated Investigations and remediation features in <a href=\"https:\/\/cybersecuritynews.com\/microsoft-defender-endpoint-bug\/\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Defender<\/a> to reduce dwell time and alert fatigue.<\/p>\n<p>By adopting a defense-in-depth posture combining rapid patching, network segmentation, and advanced endpoint protection, organizations can thwart exploitation attempts and prevent Storm 1175 Medusa ransomware from taking hold.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 94%,rgb(169,184,195) 100%)\"><strong>Follow us on <a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>, <a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>, and <a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a> for daily cybersecurity updates. <a href=\"https:\/\/cybersecuritynews.com\/contact-us\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Contact us<\/a> to feature your stories.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/goanywhere-0-day-rce-medusa-ransomware\/\">GoAnywhere 0-Day RCE Vulnerability Exploited in the Wild to Deploy Medusa Ransomware<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Florence Nightingale<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/goanywhere-0-day-rce-medusa-ransomware\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>GoAnywhere 0-Day RCE Vulnerability Exploited in the Wild to Deploy Medusa Ransomware A critical deserialization flaw in GoAnywhere MFT\u2019s License Servlet, tracked as CVE-2025-10035, has already been weaponized by the Storm-1175 group to execute the Medusa ransomware. The vulnerability affects GoAnywhere MFT versions up to 7.8.3. It resides in the License Servlet Admin Console, where [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1636,129,63,131],"tags":[130],"class_list":["post-7476","post","type-post","status-publish","format-standard","hentry","category-cyber-attack-news","category-cyber-security","category-cyber-security-news","category-vulnerability","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/7476"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=7476"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/7476\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=7476"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=7476"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=7476"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}