{"id":113772,"date":"2025-10-10T16:53:09","date_gmt":"2025-10-10T16:53:09","guid":{"rendered":"https:\/\/www.europesays.com\/ie\/113772\/"},"modified":"2025-10-10T16:53:09","modified_gmt":"2025-10-10T16:53:09","slug":"fortra-confirms-unauthorized-activity-hit-goanywhere-mft","status":"publish","type":"post","link":"https:\/\/www.europesays.com\/ie\/113772\/","title":{"rendered":"Fortra Confirms ‘Unauthorized Activity’ Hit GoAnywhere MFT"},"content":{"rendered":"

Medusa Ransomware Group Tied to Exploits of Now-Patched Zero-Day Vulnerability<\/p>\n

Mathew J. Schwartz<\/a> (euroinfosec<\/a>) \u2022
\n October 10, 2025 \u00a0 \u00a0 <\/p>\n

\"Fortra
\n Image: Shutterstock\/ISMG <\/p>\n

Attacks targeting Fortra’s GoAnywhere managed file transfer software recently exploited on-premises installations where system administrators exposed the management console to the internet, a configuration the vendor recommends against.<\/p>\n

See Also:<\/b> When Identity Protection Fails: Rethinking Resilience for a Modern Threat Landscape<\/a><\/p>\n

Publishing findings from its investigation into the hacking campaign on Thursday, Fortra said<\/a> a “limited” number of customers appear to have been breached by attackers who exploited a zero-day deserialization vulnerability, now tracked as CVE-2025-10035<\/a>, in GoAnywhere MFT’s License Servlet (see: Medusa Ransomware Affiliates Tied to Fortra GoAnywhere Hacks<\/a>).<\/p>\n

“The scope of the risk of this vulnerability is limited to customers with an admin console exposed to the public internet,” says Fortra’s report. “Other web-based components of the GoAnywhere architecture are not affected by this vulnerability. We continue to monitor the situation. At this time, we have a limited number of reports of unauthorized activity related to CVE-2025-10035.”<\/p>\n

Minnesota-based Fortra first said<\/a> in a Sept. 18 security advisory that attackers were exploiting CVE-2025-10035, which has a maximum CVSS score of 10. The flaw “allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.”<\/p>\n

As detailed<\/a> by Microsoft on Monday, a cybercrime group, the computing giant tracks as Storm-1175, has exploited the flaw – and could still have access to a victim’s environment even after admins apply a patch. The threat actor previously exploited internet-connected applications to gain access to a victim’s network on order to deploy Medusa ransomware.<\/p>\n

“The impact of CVE-2025-10035 is amplified by the fact that, upon successful exploitation, attackers could perform system and user discovery, maintain long-term access and deploy additional tools for lateral movement and malware,” Microsoft warned.<\/p>\n

Fortra said a customer first alerted it to the attacks on Sept. 11, after which it launched an investigation. “We inspected customer logs, researched the exposure of on-premises customer admin consoles and analyzed our MFTaaS – Fortra-hosted – instances for indicators of compromise,” including reviewing the logs for every one of the cloud-based instances.<\/p>\n

The same day, the company directly contacted on-premises customers that exposed GoAnywhere MFT software’s admin console to the internet. “Our support team provided risk mitigation measures and further assistance to these customers as requested,” it said.<\/p>\n

Fortra said that when reviewing its managed-file-as-a-transfer service environment instances and verifying that they didn’t expose admin controls, it did find three MFTaaS instances that showed signs of attackers having attempted to exploit the vulnerability against them. “We promptly isolated these instances for further investigation and contacted the customers,” it said.<\/p>\n

Fortra Lets the Mystery Be<\/p>\n

Vulnerability researcher Benjamin Harris, CEO of threat intelligence firm watchTowr, while lauding Fortra’s overall transparency, said the vendor still hasn’t answered questions pertaining to exactly how attackers were able to forge valid GoAnywhere MFT licenses.<\/p>\n

Fortra declined to comment.<\/p>\n

Harris said his “conjecture” is that the company’s private key leaked, which “would let attackers sign malicious objects that every GoAnywhere instance on the planet would happily accept.” Another possibility is that the private key fell victim to an attacker who activated a GoAnywhere product and slipped a malicious object into the automatically generated request for a new license to be signed.<\/p>\n

“The mystery remains – watchTowr researchers and others are still unclear how this vulnerability could be exploited without access to a private key that only Fortra is believed to have access to,” Harris said.<\/p>\n