Medusa malware active exploitation (CVE-2025-10035)

Cohesity REDLab has released updates to the threat library to detect emerging Medusa variants that are actively exploiting targets in the wild. Users should closely monitor ant-ransomware backup anomalies in Security Center. Threat Scan feature should also be used in tandem to scan backup data using the default threat library or custom YARA rules. Users should also run periodic file-hash scans to detect dormant malware in backup data.

Analysis

Active exploitation of a critical vulnerability in Fortra’s GoAnywhere Managed File Transfer (MFT) software (CVE-2025-10035) has been observer by numerous vendors including Microsoft. This flaw resides in the License Servlet component and stems from insecure deserialization of license response objects. Attackers can craft malicious payloads that, when deserialized, allow unauthenticated remote code execution (RCE). The severity is heightened because the vulnerability is accessible without authentication, making internet-facing MFT instances particularly exposed.

Threat actors have leveraged this flaw to deploy Medusa ransomware. The attack sequence begins with sending a specially crafted license response to the vulnerable servlet, triggering arbitrary code execution. Once access is obtained, the ransomware executes a series of automated routines: it enumerates files, encrypts them using strong symmetric algorithms, and can exfiltrate sensitive data for double-extortion purposes. The exploitation demonstrates a combination of application-layer vulnerability abuse and sophisticated ransomware techniques, illustrating the dangers of deserialization flaws.

Summary

Cohesity’s Anti-Ransomware and Threat Detection feature lets you scan backups snapshots and secondary stored data for anomalous behavior, known malware signatures, indicators of compromise (IOCs), using both built-in threat feeds and custom YARA rules. This helps ensure that the data recovered from backups is clean and avoids re-infecting production after a breach. It works by integrating curated threat intelligence and anomaly detection into Cohesity data protection platform so that customers can schedule or initiate threat scans over backups, inspect snapshots for malicious or suspicious artifacts, flag or quarantine compromised backups, and then use those evaluations to guide rapid recovery and response.

Cohesity Data Cloud

Data Cloud packaging

Certified platforms

Backup & Recovery

Cloud Data Protection

SaaS Data Protection

Unstructured Data Protection

Cyber Resilience

Zero Trust Security

Archive & Long-Term Retention

Disaster Recovery

Identity Resilience

Ransomware Anomaly Detection

Threat Protection

Data Classification

Cyber Vaulting

Cyber Recovery Orchestration

Digital Jump Bag

Clean Room Solution

AI Conversational Search

Reporting & IT Insights

Global Search

Why Cohesity

Cohesity vs. Rubrik

Cohesity vs. Commvault

View all solutions

Learn more

Microsoft 365 Protection

AWS

Azure

Google Cloud

Google Workspace

Slack

Active Directory & Entra ID

Hyper-V

Kubernetes

IBM

MongoDB

MS SQL Server

NAS

NoSQL & Hadoop

Nutanix

Oracle

Red Hat

SAP HANA

VMware

Financial services

Healthcare and life sciences

Manufacturing and logistics

Federal government

State, local government, and education

Retail and hospitality

Legal

Energy and utilities

Telecom

Technology

Media and Entertainment

View all

Corporate Overview

Blogs

Demos

Events and Webinars

Customer Stories

Glossary

Marketplace

Support

Support login

How-to videos

Cyber Event Response Team

Cohesity User Group

Cohesity Academy

Trust Center

Channel Partners

Global System Integrators

Security Partners

Cloud Alliances

Technology Partners

Managed Service Providers

Data Security Alliance

Leadership