A critical vulnerability in Fortra’s GoAnywhere Managed File Transfer (MFT) tool is being actively exploited by threat actors to launch ransomware attacks, according to a new report from Microsoft.
The flaw, tracked as CVE-2025-10035, affects the License Servlet Admin Console component of GoAnywhere MFT. It allows attackers to bypass signature verification and deserialize attacker-controlled objects, potentially leading to remote code execution (RCE).
As per Microsoft, the vulnerability has already been exploited as a zero-day by threat group it tracks as ‘Storm-1175’ since September 11, a full week before Fortra released a patch on September 18.
“The impact of CVE-2025-10035 is amplified by the fact that, upon successful exploitation, attackers could perform system and user discovery, maintain long-term access, and deploy additional tools for lateral movement and malware,” the tech giant warns.
The threat actors reportedly used legitimate remote monitoring tools like SimpleHelp and MeshAgent, conducted network scanning with netscan, and moved laterally using Microsoft’s Remote Desktop Connection client (mstsc.exe). In some cases, they also deployed Rclone for data exfiltration and ultimately launched Medusa ransomware.
Medusa, a ransomware-as-a-service (RaaS) strain first spotted in 2021, has been increasingly targeting critical infrastructure. According to the Shadowserver Foundation, over 500 GoAnywhere instances remain exposed online, 363 of which are in North America.
Earlier this week, Oracle released patches for a critical vulnerability in its E-Business Suite (EBS), tracked as CVE-2025-61882, which is being actively exploited in data theft attacks by the Clop ransomware group.
The flaw resides in the BI Publisher Integration component of Oracle Concurrent Processing, and allows for unauthenticated remote code execution.
