Brinztech Alert: Medusa Ransomware Actively Exploiting GoAnywhere MFT via CVE-2025-10035

Dark Web News Analysis

Information about a critical exploit for CVE-2025-10035, a vulnerability in Fortra’s GoAnywhere MFT (Managed File Transfer) product, is circulating on cybercrime forums, signaling widespread malicious use. This vulnerability allows for unauthenticated Remote Code Execution (RCE) and is being actively exploited in the wild by a known threat actor group to deploy the Medusa ransomware. The vulnerability, which affects all GoAnywhere MFT versions up to 7.8.3, resides in the License Servlet administrative console.

The attack chain is sophisticated and begins with the threat actor bypassing security checks by forging a license response signature. This provides initial access and allows them to execute arbitrary commands on the vulnerable server. Once inside, the attackers establish persistence using legitimate Remote Management and Monitoring (RMM) tools like MeshAgent and SimpleHelp, as well as by planting web shells for covert access. They then conduct internal reconnaissance using PowerShell, exfiltrate large volumes of sensitive data with the rclone utility to cloud storage, and finally, deploy the Medusa ransomware to encrypt the victim’s systems and disrupt operations.

Key Cybersecurity Insights

This high-impact vulnerability and its active exploitation present several critical threats:

• Critical RCE in a Widely Used MFT Product: Managed File Transfer (MFT) solutions like GoAnywhere are critical business systems used by organizations to handle large volumes of sensitive data. An unauthenticated RCE vulnerability in such a public-facing system is a worst-case scenario, providing attackers with a direct and easy entry point deep inside a corporate network.
• Multi-Stage Attack Chain Bypassing Traditional Defenses: The attackers are not simply exploiting the bug to run ransomware. They use a sophisticated, multi-stage approach that involves “living off the land” techniques and legitimate RMM tools. This methodology is deliberately designed to evade simple antivirus and firewall rules, allowing the attackers to remain undetected for a longer period while they map the network and exfiltrate data.
• Active Exploitation Leading to Double-Extortion Ransomware: The exploitation of CVE-2025-10035 is not theoretical; it is actively being used to deploy Medusa ransomware. The attackers are following a double-extortion model: first, they steal the victim’s sensitive data using rclone for future public leaking, and then they encrypt the systems to halt business operations. This gives them two powerful points of leverage to force a ransom payment.

Mitigation Strategies

In response to this active and critical threat, all GoAnywhere MFT users must take immediate action:

• Patch Immediately and Assume Compromise: The most critical and urgent action is for all organizations using GoAnywhere MFT to immediately update to a patched version (beyond 7.8.3). Due to the active exploitation, any unpatched, internet-facing systems should be considered potentially compromised and must be thoroughly investigated for signs of intrusion, even after patching.
• Hunt for Attacker TTPs and Indicators of Compromise (IOCs): Security teams must proactively hunt for the specific tools and techniques used in this attack chain. This includes scanning for unauthorized web shells in the GoAnywhere service directory, monitoring network traffic for command-and-control (C2) connections associated with MeshAgent or SimpleHelp, and creating detection rules for the unauthorized use of rclone and suspicious PowerShell commands.
• Implement Layered Security Defenses: Organizations must deploy and properly configure an Endpoint Detection and Response (EDR) solution capable of detecting and blocking the behavioral patterns of ransomware execution. Furthermore, network segmentation should be implemented to limit an attacker’s ability to move laterally from a compromised MFT server to other critical parts of the network, such as domain controllers or backup servers.

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? Brinztech provides cybersecurity services worldwide and does not endorse or guarantee the accuracy of external claims. For any inquiries or to report this post, please email: contact@brinztech.com