MEDUSA RANSOMWARE STRIKES: Critical RCE (CVE-2025-10035) in GoAnywhere MFT Actively Exploited    

Chapter 1: The MFT Underbelly is Breached Again

In a chilling echo of the MOVEit crisis, another major Managed File Transfer (MFT) platform is under active, widespread attack. Threat intelligence sources confirm that the **Medusa ransomware** group is exploiting a new, critical unauthenticated Remote Code Execution (RCE) zero-day in **GoAnywhere MFT**, which we are tracking as **CVE-2025-10035**. Internet-facing, file-sharing applications have become the soft underbelly of the enterprise and the number one target for major extortion groups. A compromise of your MFT platform is not just an IT incident; it is a catastrophic supply chain and data security crisis.

Chapter 2: Threat Analysis — The Unauthenticated Deserialization RCE (CVE-2025-10035)

The vulnerability is a classic but devastating **insecure deserialization** flaw in the GoAnywhere MFT's web interface. This class of vulnerability is notoriously difficult to patch and provides a direct path to RCE.

The Exploit:

1. An unauthenticated attacker sends a specially crafted POST request to a publicly exposed API endpoint on the GoAnywhere server.
2. This request contains a malicious serialized Java object, likely generated with a tool like `ysoserial`.
3. The application's code receives this object and deserializes (unpacks) it without proper validation.
4. During the deserialization process, a "gadget chain" is triggered, which forces the application to execute arbitrary commands on the underlying server with the privileges of the GoAnywhere service account.

Chapter 3: The Adversary — The Medusa Ransomware Playbook

The Medusa ransomware group is a "Big Game Hunting" operation that follows a ruthless and effective playbook. They are known for their **double-extortion** tactics.

• Data Theft:** Their first action after exploiting the RCE is not to encrypt, but to steal. They exfiltrate all the sensitive data stored on and passing through the MFT server.
• **Encryption:** Only after they have secured the data do they deploy their ransomware payload to encrypt the GoAnywhere server and often pivot to attack the rest of the network.
• **Extortion:** They then demand a massive ransom payment. This is a payment for both the decryption key and, more importantly, for their promise not to leak the massive trove of sensitive partner and customer data they have stolen.

Chapter 4: The Defender's Playbook — Emergency Patching & Hunting

You must assume any internet-facing, unpatched GoAnywhere MFT instance is a target.

1. PATCH IMMEDIATELY or ISOLATE

An emergency patch has been released by Fortra (the vendor). This is your highest priority. If you cannot apply the patch immediately, you must take the system offline or use your perimeter firewall to **block all internet access** to the web interface until it can be patched.

2. Hunt for Compromise (Assume Breach)

You must proactively hunt for signs that you were compromised before patching. The key TTP to look for is the GoAnywhere service process spawning unexpected child processes. Use your **EDR** to run this query:

  ParentProcess: goanywhere.exe (or the Java process for GoAnywhere)
  AND ProcessName IN ('cmd.exe', 'powershell.exe', '/bin/sh', 'curl.exe', 'wget.exe')
  

Any hit on this query is a critical indicator of compromise that requires immediate incident response.