October 6, 2025 By Sergiu Gatlan
A cybercrime group, tracked as Storm-1175, has been actively exploiting a maximum severity GoAnywhere MFT vulnerability in Medusa ransomware attacks for nearly a month.
Tracked as CVE-2025-10035, this security flaw impacts Fortra's web-based secure transfer GoAnywhere MFT tool, caused by a deserialization of untrusted data weakness in the License Servlet. This vulnerability can be exploited remotely in low-complexity attacks that don't require user interaction.
Security analysts at the Shadowserver Foundation are now monitoring over 500 GoAnywhere MFT instances exposed online, although it's unclear how many have already been patched.
While Fortra patched the vulnerability on September 18 without mentioning active exploitation, security researchers at WatchTowr Labs tagged it as exploited in the wild one week later, after receiving "credible evidence" that CVE-2025-10035 had been leveraged as a zero-day since September 10.
