Critical GoAnywhere Vulnerability Exploited in Medusa Ransomware Attacks

A critical vulnerability in Fortra’s GoAnywhere MFT secure web-based file transfer tool is being actively exploited in Medusa ransomware attacks. According to Microsoft’s Threat Intelligence Team, the vulnerability is being exploited by a threat group it tracks as Storm-1175, which is known for deploying Medusa ransomware after exploiting vulnerabilities in public-facing applications.

The zero-day deserialization vulnerability is tracked as CVE-2025-10035 and has a maximum CVSS base score of 10. According to Fortra, a threat actor with a validly forged license response signature could deserialize an arbitrary actor-controlled object. Successful exploitation of the flaw can result in command injection without authorization, which can potentially lead to remote code execution. Fortra issued a security advisory about the flaw on September 18, 2025, and explained that the vulnerability affects the GoAnywhere MFT’s License Servlet Admin Console version 7.8.3 and prior versions. The vulnerability has been fixed in version 7.8.4 and the Sustain release 7.6.3.

Microsoft detected attacks exploiting the vulnerability at multiple organizations on September 11, 2025, although the threat intelligence company watchTowr believes that attacks started on September 10, 2025, more than a week before Fortra issued its security alert. Microsoft has observed Storm-1175 dropping remote monitoring and management (RMM) tools such as SimpleHelp and MeshAgent for persistence, and in some cases, creating .jsp files within GoAnywhere MFT directories.

The group establishes persistence, sets up secure C2 communications, and deploys additional tools and malware payloads to facilitate network discovery and lateral movement. The latter is achieved using mstsc.exe. The group identifies and exfiltrates sensitive data and has used Rclone for data exfiltration in at least one attack. After data exfiltration, the group deploys Medusa ransomware to encrypt files.

All users are advised to immediately ensure that the GoAnywhere Admin Console is not exposed to the Internet and to update GoAnywhere to the latest version. Since the vulnerability has been exploited since at least September 11, 2025, patching alone is not sufficient. After updating the software, users should investigate for signs of compromise. “Customers are advised to monitor their Admin Audit logs for suspicious activity and the log files for errors containing SignedObject.getObject: If this string is present in an exception stack trace (similar to the following), then the instance was likely affected by this vulnerability,” explained Fortra in its security alert.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerability Catalog on September 29, 2025, and requires all federal civilian agencies to implement Fortra’s mitigations by October 20, 2025.

The post Critical GoAnywhere Vulnerability Exploited in Medusa Ransomware Attacks appeared first on The HIPAA Journal.

Reid Health Settles Meta Pixel Class Action Data Breach Lawsuit

Reid Hospital & Health Care Services, Inc., doing business as Reid Health, in Richmond, Indiana, has agreed to a settlement to resolve class action litigation over the alleged use of Meta Pixel and other tracking tools on its website.

According to the lawsuit, Jane Doe v. Reid Health, filed in Wayne County Superior Court, State of Indiana, Reid Health impermissibly disclosed patients’ protected health information to third-party technologies without patients’ knowledge or consent. Metal Pixel and other tracking tools can collect information about website users based on their interactions on a website where the tracking code is installed. That information can be linked to individuals via their IP address, and if they are logged into certain accounts at the time of the visit. The tracking tools can collect information about the web pages visited, searches performed on the site, and information selected in drop-down boxes. That information can reveal sensitive information about individuals and may be used by third parties to serve them with targeted advertisements.

According to the lawsuit, using these tools without alerting website users amounted to negligence. The lawsuit also asserted claims of negligence per se, unjust enrichment, breach of fiduciary duty, invasion of privacy, and a violation of the Indiana Deceptive Consumer Sales Act. Reid Health vigorously denies the disclosure of any personally identifiable information to Meta or other third parties without permission and maintains that there was no wrongdoing whatsoever. Reid Health disputes that it committed, or threatened, or attempted to commit any wrongful act or violation of any law. Reid Health believes that if the lawsuit were to proceed to summary judgment or trial, it would be successful; however, after considering the cost, uncertainty, and risks inherent in any litigation, the decision was taken to settle the lawsuit.

Following mediation, all parties agreed upon a suitable settlement that provides monetary relief and membership to a medical shield product. Class members may submit a claim for a cash payment of $25 and will automatically receive a code to enroll in the medical shield product, which protects against misuse of the class members’ personal information. Notifications about the settlement were mailed on September 25, 2025, and class members have until October 25, 2025, to object to or exclude themselves from the settlement. Claims for a cash payment and Medical Shield membership must be submitted by December 24, 2025, and the final fairness hearing has been scheduled for December 9, 2025.

The post Reid Health Settles Meta Pixel Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

Reid Health Settles Meta Pixel Class Action Data Breach Lawsuit

Reid Hospital & Health Care Services, Inc., doing business as Reid Health, in Richmond, Indiana, has agreed to a settlement to resolve class action litigation over the alleged use of Meta Pixel and other tracking tools on its website.

According to the lawsuit, Jane Doe v. Reid Health, filed in Wayne County Superior Court, State of Indiana, Reid Health impermissibly disclosed patients’ protected health information to third-party technologies without patients’ knowledge or consent. Metal Pixel and other tracking tools can collect information about website users based on their interactions on a website where the tracking code is installed. That information can be linked to individuals via their IP address, and if they are logged into certain accounts at the time of the visit. The tracking tools can collect information about the web pages visited, searches performed on the site, and information selected in drop-down boxes. That information can reveal sensitive information about individuals and may be used by third parties to serve them with targeted advertisements.

According to the lawsuit, using these tools without alerting website users amounted to negligence. The lawsuit also asserted claims of negligence per se, unjust enrichment, breach of fiduciary duty, invasion of privacy, and a violation of the Indiana Deceptive Consumer Sales Act. Reid Health vigorously denies the disclosure of any personally identifiable information to Meta or other third parties without permission and maintains that there was no wrongdoing whatsoever. Reid Health disputes that it committed, or threatened, or attempted to commit any wrongful act or violation of any law. Reid Health believes that if the lawsuit were to proceed to summary judgment or trial, it would be successful; however, after considering the cost, uncertainty, and risks inherent in any litigation, the decision was taken to settle the lawsuit.

Following mediation, all parties agreed upon a suitable settlement that provides monetary relief and membership to a medical shield product. Class members may submit a claim for a cash payment of $25 and will automatically receive a code to enroll in the medical shield product, which protects against misuse of the class members’ personal information. Notifications about the settlement were mailed on September 25, 2025, and class members have until October 25, 2025, to object to or exclude themselves from the settlement. Claims for a cash payment and Medical Shield membership must be submitted by December 24, 2025, and the final fairness hearing has been scheduled for December 9, 2025.

The post Reid Health Settles Meta Pixel Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.