Medusa Ransomware Exploits GoAnywhere MFT Vulnerability CVE-2025-10035

Estimated reading time: 10 minutes

Key takeaways:

  • Medusa ransomware group is actively exploiting GoAnywhere MFT vulnerability CVE-2025-10035.
  • The campaign highlights the need for enhanced security measures, including real-time ransomware intelligence and breach detection mechanisms.
  • Organizations should apply security patches, conduct compromise assessments, and implement network segmentation to mitigate risks.
  • Active exploitation of a critical 0-day vulnerability, tracked as CVE-2025-61882, in Oracle E-Business Suite (EBS).
  • PurpleOps services such as cyber threat intelligence, breach detection, and supply chain information security can help organizations protect against these threats.

Table of contents:

Medusa Affiliate Exploiting CVE-2025-10035 in GoAnywhere MFT

Recent cybersecurity analysis has revealed that the Medusa ransomware group is actively exploiting the GoAnywhere MFT (Managed File Transfer) vulnerability, tracked as CVE-2025-10035. This campaign, ongoing since at least September 11, 2025, highlights the critical need for organizations to implement enhanced security measures, including real-time ransomware intelligence and breach detection mechanisms. Understanding the tactics, techniques, and procedures (TTPs) employed by threat actors like Medusa is crucial for effective defense.

Microsoft Defender researchers have linked exploitation activity targeting a vulnerability in Fortra’s GoAnywhere MFT file transfer platform to Storm-1175, an affiliate of the Medusa ransomware-as-a-service operation. This campaign, which began around September 11, 2025, leverages the now-publicly disclosed deserialization vulnerability CVE-2025-10035, initially a zero-day exploit. The successful exploitation of this vulnerability has resulted in the deployment of Medusa ransomware in at least one compromised environment, underscoring the severity of the threat.

This incident highlights the need for organizations to prioritize supply-chain risk monitoring and implement proactive measures to defend against ransomware attacks.

Technical Breakdown of the Attack

The Medusa ransomware affiliate, known as Storm-1175, executed a multi-stage attack. The initial phase involved exploiting CVE-2025-10035, a deserialization vulnerability within GoAnywhere MFT. After gaining initial access, the attackers deployed remote monitoring and management (RMM) tools, specifically SimpleHelp and MeshAgent, to establish persistence within the compromised systems.

Following the deployment of RMM tools, Storm-1175 performed network discovery using tools like netscan to map the internal network. Lateral movement was achieved by leveraging the RMM tools, which also facilitated the establishment of command and control (C2) infrastructure.

In the exfiltration stage, the attackers used Rclone to steal data from the compromised environment. The final stage involved the successful deployment of Medusa ransomware, encrypting systems and demanding a ransom for data recovery.

Impact and Response

The exploitation of CVE-2025-10035 by the Medusa ransomware group has significant implications for organizations using GoAnywhere MFT. The successful deployment of ransomware can lead to:

  • Data encryption and loss of access to critical systems.
  • Data exfiltration, potentially resulting in public disclosure of sensitive information.
  • Financial losses due to ransom demands, recovery costs, and business disruption.
  • Reputational damage and loss of customer trust.

To mitigate the risk associated with this vulnerability and similar threats, organizations should take the following steps:

  • Apply Security Patches: Organizations running GoAnywhere MFT should immediately apply the latest security patches provided by Fortra to address CVE-2025-10035.
  • Conduct a Compromise Assessment: Use the Indicators of Compromise (IOCs) provided by Oracle to scan systems for potential compromise.
  • Implement Network Segmentation: Segment the network to limit lateral movement in case of a breach.
  • Harden Network Exposure: Limit direct internet access to Oracle EBS and follow Oracle’s deployment guidelines.
  • Continuous Monitoring: Maintain robust network monitoring and threat hunting capabilities to detect and contain malicious activity.

Oracle E-Business Suite 0-Day Vulnerability CVE-2025-61882

In related news, the UK National Cyber Security Centre (NCSC) has issued a security alert following the confirmation of active exploitation of a critical 0-day vulnerability, tracked as CVE-2025-61882, in Oracle E-Business Suite (EBS). This vulnerability, a severe remote code execution flaw in the BI Publisher Integration component of Oracle Concurrent Processing within EBS, allows an unauthenticated attacker to compromise the underlying system fully without user interaction.

With a CVSS v3.1 base score of 9.8, CVE-2025-61882 impacts Oracle EBS versions 12.2.3 through 12.2.14, posing the highest risk to organizations that have exposed their Oracle EBS deployments to the public internet.

The NCSC urges all organizations running affected Oracle EBS versions to immediately assess their environments for compromise using the published IoCs from Oracle’s advisory, report suspected incidents, apply security updates (ensuring the October 2023 Critical Patch Update is in place beforehand), harden network exposure, and maintain robust network monitoring and threat hunting to detect and contain malicious activity.

Actionable Advice

For technical readers:

  • Patch Management: Implement a rigorous patch management process to ensure timely application of security updates for all software and systems.
  • Network Segmentation: Segment the network to prevent lateral movement of attackers in case of a successful breach.
  • Endpoint Detection and Response (EDR): Deploy EDR solutions to monitor endpoint activity and detect malicious behavior.
  • Threat Intelligence: Subscribe to threat intelligence feeds to stay informed about emerging threats and vulnerabilities. Cyber threat intelligence platforms can provide valuable insights into attacker TTPs and IOCs.
  • Log Analysis: Implement robust logging and monitoring solutions to detect suspicious activity and potential breaches.

For non-technical readers:

  • Security Awareness Training: Provide regular security awareness training to employees to educate them about phishing, social engineering, and other common attack vectors.
  • Incident Response Plan: Develop and regularly test an incident response plan to ensure a coordinated and effective response to security incidents.
  • Data Backup and Recovery: Implement a robust data backup and recovery plan to minimize data loss in case of a ransomware attack or other disaster.
  • Vendor Risk Management: Assess the security posture of third-party vendors and service providers to minimize supply chain risks.
  • Cyber Insurance: Consider obtaining cyber insurance to help cover the costs of recovery from a cyber attack.

Relevance to PurpleOps Services

These incidents directly relate to several PurpleOps services designed to protect organizations from ransomware and other cyber threats:

  • Cyber Threat Intelligence: PurpleOps provides comprehensive cyber threat intelligence services, including real-time ransomware intelligence, dark web monitoring service, telegram threat monitoring, and underground forum intelligence. This intelligence helps organizations stay ahead of emerging threats and proactively defend against attacks.
  • Breach Detection: PurpleOps offers advanced breach detection capabilities to identify and respond to security incidents quickly and effectively. Our brand leak alerting service can notify you if your sensitive data is compromised.
  • Supply Chain Information Security: PurpleOps specializes in supply-chain risk monitoring, helping organizations assess and mitigate the security risks associated with their third-party vendors and service providers.
  • Red Team Operations and Penetration Testing: These services simulate real-world attacks to identify vulnerabilities and weaknesses in an organization’s security posture.
  • Dark Web Monitoring: Proactively search the dark web for mentions of your brand, leaked credentials, and other sensitive information.

By leveraging these services, organizations can significantly enhance their security posture and reduce their risk of falling victim to ransomware attacks and other cyber threats.

The exploitation of CVE-2025-10035 by the Medusa ransomware group, along with the active exploitation of the Oracle E-Business Suite vulnerability CVE-2025-61882, underscores the importance of proactive security measures and continuous monitoring.

To learn more about how PurpleOps can help you protect your organization from ransomware and other cyber threats, explore our platform and our PurpleOps Solutions, or contact us for more information at Cyber Threat Intelligence. We also offer specialized services such as Red Team Operations, , Supply Chain Information Security, Ransomware Protection, and Dark Web Monitoring.

FAQ

  • What is CVE-2025-10035?
    CVE-2025-10035 is a deserialization vulnerability in Fortra’s GoAnywhere MFT (Managed File Transfer) platform that is being actively exploited by the Medusa ransomware group.
  • What is CVE-2025-61882?
    CVE-2025-61882 is a critical 0-day vulnerability in Oracle E-Business Suite (EBS) that allows an unauthenticated attacker to compromise the underlying system.
  • What can organizations do to protect themselves from these vulnerabilities?
    Organizations should apply security patches, conduct compromise assessments, implement network segmentation, harden network exposure, and maintain robust network monitoring and threat hunting capabilities.
  • How can PurpleOps help?
    PurpleOps offers a range of services, including cyber threat intelligence, breach detection, and supply chain information security, to help organizations protect themselves from ransomware and other cyber threats.