Medusa Ransomware's Actively Exploiting CVE-2025-10035

In September 2025, security researchers disclosed a critical vulnerability in Fortra's GoAnywhere Managed File Transfer (MFT) platform. Tracked as CVE-2025-10035, the flaw has rapidly become a favored target for ransomware actors, particularly those deploying Medusa ransomware.

The vulnerability and subsequent exploitation highlight the dangerous intersection of software supply chain risks, critical infrastructure dependencies, and increasingly sophisticated ransomware ecosystems.

At its core, CVE-2025-10035 stems from a deserialization weakness in GoAnywhere's License Servlet. The flaw arises because the application fails to validate serialized objects provided during license verification securely. An attacker can forge a malicious license response and bypass verification controls, ultimately causing the system to deserialize an object of the attacker's choosing.

Once deserialized, this object can execute arbitrary commands on the host, opening the door to complete system compromise. CVE-2025-10035 is considered to be severe enough to warrant immediate patching.

What makes the vulnerability particularly dangerous is the lack of authentication or user interaction required to exploit it. In practice, this means that if the License Servlet is exposed to the internet, an attacker can achieve remote code execution without any credentials.

Analysts note that the exploit chain may involve multiple factors, including an access control bypass, the deserialization flaw itself, and potentially the reuse of a private key involved in license validation. Regardless of the exact mechanism, the vulnerability represents a full compromise vector against a widely used enterprise tool.

GoAnywhere is heavily relied upon in industries where secure file transfers and data automation are critical. Its compromise provides attackers not just with access to a single system, but with a gateway into the broader infrastructure of an organization. For threat actors motivated by ransomware, this vulnerability offers a direct path to high-value targets.

The risks associated with CVE-2025-10035 are extensive. Successful exploitation allows attackers to seize control of the host environment, which in many organizations means access to sensitive data flows, internal business applications, and credentials for lateral movement. Once inside, an attacker can exfiltrate files, create persistent accounts, escalate privileges, and prepare for a ransomware strike.

Security agencies and researchers have warned that defenders must not only apply patches but also treat the flaw as potentially already exploited. Indicators such as anomalous user creation, privilege escalation attempts, or suspicious log entries, like those referencing "SignedObject.getObject", may suggest exploitation attempts.

When patching cannot occur immediately, organizations are advised to restrict access to the License Servlet, remove external exposure of the Admin Console, and closely monitor for any malicious behavior.

Patching remains the most effective defense. Fortra has released updates in GoAnywhere version 7.8.4 and in its sustained release 7.6.3, closing the vulnerability. Still, the speed and scale of exploitation remind organizations that patching alone is insufficient; proactive detection, incident response preparation, and network segmentation are vital to containing the damage.

While CVE-2025-10035 is a serious vulnerability on its own, its exploitation is particularly concerning because of the payloads it enables. In several confirmed incidents, attackers have used the flaw to deploy Medusa ransomware, a sophisticated operation that has been active for several years and is known for targeting critical infrastructure. The vulnerability, therefore, represents not just a technical flaw but a direct path into some of the most dangerous ransomware campaigns currently active.

Medusa Ransomware's Active Exploitation

The exploitation of CVE-2025-10035 has become one of the most effective entry points for Medusa affiliates. Microsoft confirmed that Storm-1175, a known Medusa affiliate, the actor responsible for exploiting GoAnywhere, was linked to a Medusa ransomware deployment in at least one environment. The connection between the flaw and the ransomware highlights how attackers exploit vulnerabilities in established ransomware operations to maximize their profits.

In a typical campaign, attackers first compromise GoAnywhere using the deserialization flaw. Once inside, they move laterally across the network, escalate privileges, and exfiltrate sensitive data. They then deploy Medusa ransomware to encrypt files, destroy backups, and ensure that recovery is extremely difficult without payment. Victims are faced with both the loss of access to critical systems and the threat of public exposure of their most sensitive information.

The Medusa ransomware operation has steadily grown into one of the most disruptive ransomware families targeting enterprises and government entities. First observed in June 2021, Medusa initially emerged as a more closed-group ransomware-as-a-service (RaaS) model before expanding to include broader affiliate participation.

Over time, it established its own leak site, known as the Medusa Blog, where stolen data is published if victims refuse to pay the ransom. This "double extortion" model—encrypting data while threatening public leaks—has since become a hallmark of the group's campaigns.

Medusa's operators use a range of tactics to maximize disruption. Affiliates often rely on phishing campaigns or purchase access from initial access brokers, giving them entry into corporate networks. Once inside, they employ living-off-the-land techniques, using legitimate administrative tools to blend in with routine activity.

The group has also adopted aggressive extortion methods, including countdown timers on leak sites that pressure victims into paying to delay the publication of stolen files.

By early 2025, Medusa had become a prominent name among ransomware groups, particularly for its focus on critical infrastructure sectors, including healthcare, education, manufacturing, and energy. CISA and its partners reported that the group had compromised more than 300 critical infrastructure organizations, underscoring the scale of its operations.

In 2025 alone, over 40 new victims were publicly identified, with ransom demands ranging from hundreds of thousands of dollars to over 15 million.

High-profile cases have further drawn attention to the group. One such case involved NASCAR, where Medusa operators demanded a ransom of four million dollars and threatened to leak sensitive data. Beyond sports and entertainment, Medusa has repeatedly targeted organizations with low tolerance for downtime, ensuring that the pressure to pay is particularly acute.

In conclusion, the exploitation of CVE-2025-10035 in GoAnywhere MFT and its use in Medusa ransomware campaigns exemplify the evolving nature of cyber threats. A single vulnerability in a widely used enterprise tool has become the linchpin for one of the most damaging ransomware operations targeting critical infrastructure worldwide.