Cybercriminals Exploit Fortra's GoAnywhere, Affecting 300+ Critical Sectors
Cybercriminals have been actively exploiting a vulnerability in Fortra's GoAnywhere file transfer solution using Medusa ransomware, affecting over 300 organizations in critical sectors since 2021. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed the breach and ordered federal agencies to patch the vulnerability by October 20.
The vulnerability, identified as CVE-2025-10035, allows attackers to gain initial access, perform system discovery, and deploy additional tools for lateral movement. After initial access, hackers used remote monitoring tools SimpleHelp and MeshAgent for further infiltration. Microsoft attributes the exploitation activity to a group called Storm-1175, while cybersecurity firm watchTowr warned GoAnywhere users about the vulnerability weeks before CISA's notice.
Notable Medusa ransomware attacks include Minneapolis Public Schools, the Pacific island nation of Tonga, and technology companies in Canada. Despite the severity of these attacks, the cybercriminal group behind Medusa ransomware remains unidentified. Fortra initially warned about the bug on September 18 but did not disclose exploitation by cybercriminals until CISA's confirmation.
With over 300 organizations in critical infrastructure sectors affected, the exploitation of Fortra's GoAnywhere vulnerability by Medusa ransomware underscores the importance of prompt patching and robust cybersecurity measures. Federal agencies have been ordered to address the issue by October 20, and organizations using GoAnywhere are urged to follow suit to prevent further compromise.
