How Did Medusa Ransomware Exploit Fortra’s Critical Flaw?

How Did Medusa Ransomware Exploit Fortra’s Critical Flaw?

I’m thrilled to sit down with Rupert Marais, our in-house security specialist with extensive expertise in endpoint and device security, cybersecurity strategies, and network management. With the recent surge in ransomware attacks targeting critical software vulnerabilities, particularly the exploitation of a severe flaw in Fortra’s GoAnywhere managed file transfer product by Medusa ransomware actors, Rupert’s insights are more vital than ever. In this interview, we’ll dive into the nature of the Medusa ransomware threat, the specifics of the exploited vulnerability, the tactics of the cybercrime group behind these attacks, and the broader implications for organizations relying on managed file transfer systems.

Can you walk us through what Medusa ransomware is and why it poses such a significant threat to organizations using software like Fortra’s GoAnywhere?

Medusa ransomware is a particularly nasty strain of malware designed to encrypt an organization’s data and hold it hostage until a ransom is paid. What makes it stand out is its aggressive targeting of vulnerabilities in widely used software, coupled with the operators’ focus on high-value targets. For systems like Fortra’s GoAnywhere, which is a managed file transfer (MFT) solution used to securely share sensitive data, Medusa represents a huge threat because these platforms often handle critical business information. If attackers gain access through a flaw, they can encrypt files, steal data, and disrupt operations, often leading to significant financial and reputational damage.

What sets Medusa ransomware apart from other ransomware variants you’ve encountered?

Unlike some ransomware that relies heavily on phishing or social engineering to gain initial access, Medusa often exploits specific software vulnerabilities, which makes it more technical and targeted. Its operators also tend to pair encryption with data exfiltration, meaning they steal sensitive information before locking it up. This double-threat approach—ransom for decryption and the risk of data leaks—puts extra pressure on victims to pay up. Additionally, Medusa’s association with sophisticated groups means they’re quick to adapt and exploit new flaws almost as soon as they’re discovered.

Can you explain the vulnerability in Fortra’s GoAnywhere product, known as CVE-2025-10035, and why it’s rated as a maximum-severity issue?

CVE-2025-10035 is a deserialization vulnerability in GoAnywhere, which essentially means the software improperly handles data input in a way that can allow attackers to execute malicious code. It’s rated with a perfect CVSS score of 10 because it’s remotely exploitable, requires no user interaction, and can lead to full system compromise. For a product like GoAnywhere, which organizations trust to securely transfer sensitive data, this flaw is catastrophic—it opens the door for attackers to infiltrate networks, deploy ransomware like Medusa, or steal data outright.

In simple terms, what is a deserialization vulnerability, and why is it so dangerous in this context?

Think of deserialization as the process of taking data that’s been formatted for storage or transmission and turning it back into something the software can use. If that process isn’t secure, an attacker can craft malicious data that, when deserialized, tricks the system into running harmful code. In the context of GoAnywhere, this is especially dangerous because MFT systems are often connected to critical parts of an organization’s infrastructure. A single breach through deserialization can give attackers a foothold to move laterally across a network, impacting far more than just the initial point of entry.

There’s been mention of a cybercrime group, Storm-1175, exploiting this flaw. Can you tell us more about who they are and how they operate?

Storm-1175 is a financially motivated cybercrime group known for deploying ransomware, particularly Medusa, as part of their attack campaigns. They’re highly skilled at identifying and exploiting vulnerabilities in enterprise software, often targeting systems that handle sensitive data. Their operations are methodical—they scan for vulnerable systems, exploit flaws like CVE-2025-10035, and then deploy ransomware to maximize disruption and profit. What’s notable is their speed; they’ve been observed exploiting vulnerabilities on the same day they’re discovered, suggesting they have robust reconnaissance and rapid response capabilities.

The exploitation of this vulnerability was observed on the very day it was reported to Fortra. What does this tight timeline tell us about the nature of these attacks?

This timeline strongly suggests that Storm-1175 was exploiting CVE-2025-10035 as a zero-day vulnerability, meaning they were using it before a patch was available or even before the vendor was fully aware of the issue. It points to a highly sophisticated operation—either they discovered the flaw themselves through extensive research or they had insider knowledge. It also underscores how critical it is for organizations to monitor their systems continuously and apply patches the moment they’re released, because threat actors are clearly ready to pounce at the earliest opportunity.

There’s some mystery around how attackers exploited this flaw without access to Fortra’s private key. Can you shed light on what role this private key plays and why it’s so puzzling?

The private key in this context is part of the security mechanism that verifies the legitimacy of certain actions or data within GoAnywhere, like license responses. Essentially, it’s a cryptographic safeguard to ensure that only authorized entities can interact with the system in specific ways. The puzzle here is that exploiting this deserialization flaw seems to require a valid signature tied to that private key, which shouldn’t be accessible to outsiders. The fact that attackers pulled it off suggests either a major oversight—like the key being accidentally exposed in a previous release—or a breach where the key was stolen, which are both deeply concerning scenarios.

Based on the speculation from security researchers, how might attackers have gotten around this private key requirement?

There are a few possibilities that have been floated. One is that the private key was inadvertently included in an earlier version of the software or related documentation, making it accessible to anyone who knew where to look. Another theory is that attackers compromised a system, like a remote license server, that had access to the key, allowing them to use it directly or coerce the system into signing malicious data. While less likely, it’s also possible they found a way to forge a signature without the key, though that would require an extraordinary level of skill or an undisclosed flaw in the verification process. We’re still in the dark on the exact method, but each scenario points to significant risks in how sensitive credentials are managed.

Given the history of vulnerabilities in MFT products like GoAnywhere, what broader lessons should organizations take away from this incident?

This incident is a stark reminder that MFT systems, while critical for secure data sharing, are prime targets for threat actors because of the sensitive information they handle. Organizations need to prioritize regular patching and vulnerability management, but that’s just the start. They should also restrict internet-facing access to these systems, use strong network segmentation to limit lateral movement if a breach occurs, and continuously monitor for suspicious activity. Beyond that, having robust backup and recovery plans is essential—ransomware like Medusa thrives on the desperation of organizations that can’t restore their data without paying.

Looking ahead, what is your forecast for the evolution of ransomware threats targeting enterprise software like MFT solutions?

I expect ransomware actors to become even more targeted and sophisticated in exploiting enterprise software like MFT solutions. As organizations bolster basic defenses against phishing and other common attack vectors, threat groups will increasingly focus on zero-day vulnerabilities and supply chain weaknesses, where they can cause maximum disruption. We’re likely to see more rapid exploitation of newly discovered flaws, as well as greater use of data exfiltration alongside encryption to ramp up pressure on victims. For MFT systems specifically, I anticipate attackers will double down on finding ways to compromise authentication mechanisms and private keys, making it critical for vendors and users alike to enhance security around those components.

Subscribe to our weekly news digest.

Join now and become a part of our fast-growing community.

Invalid Email Address
Thanks for Subscribing!
We'll be sending you our best soon!
Something went wrong, please try again later