Medusa ransomware affiliates are among those exploiting a maximum-severity bug in Fortra's GoAnywhere managed file transfer (MFT) product, according to Microsoft Threat Intelligence.

Fortra disclosed the 10.0-rated deserialization vulnerability tracked as CVE-2025-10035 on September 18. At the time, the vendor warned the flaw could trick the License Servlet - that's the GoAnywhere MFT license-checking component - into deserializing attacker-controlled Java objects by forging a license response that passes signature verification. This can lead to command injection and potential remote code execution.

Plus, after exploiting the vulnerability, miscreants can snoop around the compromised system, drop backdoors to ensure long-term access, and deploy malware droppers and other tools for latera

See Full Page