Microsoft has attributed a recent wave of cyberattacks to a threat group identified as Storm-1175, linking it to the exploitation of a critical flaw in Fortra’s GoAnywhere MFT software. The attacks ultimately led to the deployment of Medusa ransomware, affecting several organizations globally.
The vulnerability, tracked as CVE-2025-10035 with a CVSS score of 10.0, is a critical deserialization bug that allows attackers to perform unauthenticated command injection. The issue was resolved in version 7.8.4 or Sustain Release 7.6.3. According to Microsoft Threat Intelligence, the flaw enables a threat actor with a forged license response signature to deserialize arbitrary, attacker-controlled objects, resulting in remote code execution (RCE).
Storm-1175’s Exploitation Tactics
Storm-1175 is a cybercriminal group known for exploiting public-facing applications to gain initial access and deploy Medusa ransomware. Microsoft observed exploitation activity related to CVE-2025-10035 in multiple organizations starting September 11, 2025. Security researchers at watchTowr had already reported signs of active exploitation as early as September 10.
Successful exploitation of the flaw can enable attackers to perform system and user reconnaissance, maintain persistent access, and deploy additional tools for lateral movement and malware deployment.
Attack Chain and Tools Used
Once access is achieved, attackers drop Remote Monitoring and Management (RMM) tools such as SimpleHelp and MeshAgent to ensure persistence. They also create .jsp files inside the GoAnywhere MFT directories, often at the same time as RMM tool deployment.
In the next stage, commands are executed for user, network, and system discovery, followed by leveraging mstsc.exe (Windows Remote Desktop Connection) for lateral movement. The attackers then use the downloaded RMM tools for command-and-control (C2) operations through a Cloudflare tunnel, while tools like Rclone are used for data exfiltration. This sequence ultimately facilitates the deployment of Medusa ransomware.
Expert Concerns and Transparency Issues
image import–fortra-response
Benjamin Harris, CEO and Founder of watchTowr, criticized Fortra’s lack of transparency, stating that organizations using GoAnywhere MFT have been under silent attack since September 11 without adequate communication from the vendor.
“Microsoft’s confirmation now paints a pretty unpleasant picture,” Harris said. “We are seeing exploitation, clear attribution, and evidence that attackers had a month-long advantage. What remains unclear is how the threat actors obtained the private keys necessary for exploitation and why customers were kept in the dark for so long.”
He added that organizations deserve transparency and clarity from Fortra so they can properly assess their exposure to this actively exploited vulnerability.
