Microsoft Links Medusa Ransomware Group to Ongoing GoAnywhere Exploits
Seattle, WA – Microsoft has attributed ongoing exploitation of a critical vulnerability in Fortra’s GoAnywhere MFT software to affiliates of the Medusa ransomware group, confirming months of suspected malicious activity. The tech giant’s report reveals the attacks began as early as September 11th and remain active,raising concerns about the extent of compromised organizations and the potential for data breaches.
The vulnerability, tracked as CVE-2025-10035, allows for unauthorized access to GoAnywhere systems.While Fortra issued an advisory regarding the flaw, it initially did not disclose any evidence of active exploitation. This lack of transparency has drawn criticism from security researchers, who argue that affected organizations were left vulnerable for an extended period.The revelation from Microsoft underscores the severity of the situation and the need for immediate action by GoAnywhere users.
WatchTowr CEO Benjamin Harris, who previously faulted Fortra for withholding exploitation details, stated the Microsoft report “confirmed what we feared. Organizations running GoAnywhere MFT have effectively been under silent assault since at least September 11, with little clarity from Fortra.” He emphasized the critical need for Fortra to provide answers regarding how attackers obtained the necessary private keys and why organizations were not promptly informed of the ongoing threat.
Microsoft declined to disclose the number of organizations impacted or whether the exploitation is still underway. Fortra has yet to respond to inquiries from The Register regarding the attacks. Harris further urged fortra to share data, stating, “Customers deserve transparency, not silence,” and calling for a swift release of details to help organizations assess their exposure.
The ongoing exploitation highlights the risks associated with supply chain vulnerabilities and the importance of rapid vulnerability disclosure and patching. GoAnywhere MFT is a widely used managed file transfer solution, meaning a successful attack could have far-reaching consequences for businesses relying on the software to securely exchange sensitive data.
