"Medusa ransomware affiliates are among those exploiting a maximum-severity bug in Fortra's GoAnywhere managed file transfer (MFT) product, according to Microsoft Threat Intelligence. Fortra disclosed the 10.0-rated deserialization vulnerability tracked as CVE-2025-10035 on September 18. At the time, the vendor warned the flaw could trick the License Servlet - that's the GoAnywhere MFT license-checking component - into deserializing attacker-controlled Java objects by forging a license response that passes signature verification."
"Microsoft researchers spotted Storm-1175 exploitation activity affecting "multiple organizations" on September 11, according to the Monday report. After exploiting the deserialization vulnerability as a zero-day, the ransomware slingers abused GoAnywhere MFT processes to deploy SimpleHelp and MeshAgent, both remote monitoring and management (RMM) tools, to maintain persistence. They also dropped the RMM binaries directly under the GoAnywhere MFT process and created .jsp files. Next, the attackers executed user and system discovery commands, deployed netscan for network discovery,"
Medusa-linked actors exploited a 10.0-rated deserialization bug in Fortra's GoAnywhere MFT (CVE-2025-10035) that can force the License Servlet to deserialize malicious Java objects by forging a license response that passes signature verification. Exploitation can enable command injection and remote code execution. After compromise, attackers can snoop on systems, install backdoors for persistence, and deploy malware droppers and lateral movement tools. A group tracked as Storm-1175 exploited the flaw against multiple organizations around September 11. Threat actors installed SimpleHelp and MeshAgent RMM tools, dropped RMM binaries and .jsp files, and ran discovery and network-scanning utilities. Organizations should patch immediately and restrict external access to the GoAnywhere Admin Console.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]