Microsoft Attributes Medusa Ransomware Deployment to Storm-1175 Group Exploiting Fortra GoAnywhere Vulnerability
On Monday, Microsoft revealed that the Storm-1175 threat actor group exploited a critical security flaw in Fortra GoAnywhere software to facilitate the distribution of Medusa ransomware.
The vulnerability, known as CVE-2025-10035 and rated with a CVSS score of 10.0, is a severe deserialization flaw that could lead to command injection without the need for authentication. This flaw was patched in version 7.8.4 or the Sustain Release 7.6.3.
The Microsoft Threat Intelligence team warned that this vulnerability could enable threat actors to deserialize a controlled object, potentially resulting in command injection and remote code execution (RCE).
Storm-1175, a known cybercriminal group specializing in deploying Medusa ransomware and exploiting public-facing applications for initial access, was linked to the exploitation of CVE-2025-10035. The activity related to this vulnerability was detected in multiple organizations on September 11, 2025. Recent reports also indicated active exploitation of the flaw since at least September 10.
Exploiting CVE-2025-10035 could allow attackers to conduct system and user discovery, maintain prolonged access, and deploy additional tools for lateral movement and malware deployment.
The attack chain following initial access involves dropping remote monitoring and management (RMM) tools such as SimpleHelp and MeshAgent for persistence. The threat actors were also observed creating .jsp files in GoAnywhere MFT directories concurrently with the deployment of RMM tools.
Subsequently, the attackers execute commands for user, network, and system discovery, utilizing mstsc.exe (Windows Remote Desktop Connection) for lateral movement within the network.
The downloaded RMM tools are utilized for command-and-control (C2) via a Cloudflare tunnel, with reports of Rclone usage in data exfiltration within at least one victim environment. This sequence ultimately leads to the deployment of Medusa ransomware.
Benjamin Harris, CEO, and Founder of watchTowr, expressed concerns regarding the ongoing exploitation of organizations using GoAnywhere MFT. He emphasized the importance of transparency from Fortra in addressing how threat actors obtained the private keys for exploitation and why affected organizations were not promptly informed about the vulnerability.
Harris stated, “Organizations have been under attack since September 11, with limited communication from Fortra. Microsoft’s confirmation sheds light on the severity of the situation – exploitation, attribution, and a significant head start for the attackers. It is crucial for Fortra to provide transparency to affected organizations to understand their vulnerability to actively exploited flaws.”
