Microsoft on Monday attributed a threat actor it tracks as Storm-1175 to the exploitation of a critical security flaw in Fortra GoAnywhere software to facilitate the deployment of Medusa ransomware.
The vulnerability is CVE-2025-10035 (CVSS score: 10.0), a critical deserialization bug that could result in command injection without authentication. It was addressed in version 7.8.4, or the Sustain Release 7.6.3.
“The vulnerability could allow a threat actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection and potential remote code execution (RCE),” the Microsoft Threat Intelligence team said.
According to the tech giant, Storm-1175 is a cybercriminal group known for deploying Medusa ransomware and exploiting public-facing applications for initial access. Exploitation activity related to CVE-2025-10035 is said to have been detected in multiple organizations on September 11, 2025. It’s worth noting that watchTowr revealed last week that there were indications of active exploitation of the flaw since at least since September 10.
Furthermore, successful exploitation of CVE-2025-10035 could allow attackers to perform system and user discovery, maintain long-term access, and deploy additional tools for lateral movement and malware.
The attack chain following initial access entails dropping remote monitoring and management (RMM) tools, such as SimpleHelp and MeshAgent, to maintain persistence. The threat actors have also been observed creating .jsp files within the GoAnywhere MFT directories, often at the same time as the dropped RMM tools.
In the next phase, commands for user, network, and system discovery are executed, followed by leveraging mstsc.exe (i.e., Windows Remote Desktop Connection) for lateral movement across the network.
The downloaded RMM tools are used for command-and-control (C2) using a Cloudflare tunnel, with Microsoft observing the use of Rclone in at least one victim environment for data exfiltration. The attack ultimately paves the way for the Medusa ransomware deployment.
“Organizations running GoAnywhere MFT have effectively been under silent assault since at least September 11, with little clarity from Fortra,” watchTowr CEO and Founder, Benjamin Harris, said. “Microsoft’s confirmation now paints a pretty unpleasant picture — exploitation, attribution, and a month-long head start for the attackers.
“What’s still missing are the answers only Fortra can provide. How did threat actors get the private keys needed to exploit this? Why were organizations left in the dark for so long? Customers deserve transparency, not silence. We hope they will share in the very near future so affected or potentially affected organizations can understand their exposure to a vulnerability that is being actively exploited in the wild.”
