On October 7, 2025, Microsoft disclosed that the cybercriminal group known as Storm-1175 has been actively exploiting a critical vulnerability in Fortra’s GoAnywhere Managed File Transfer (MFT) software to deploy Medusa ransomware. This vulnerability, identified as CVE-2025-10035 with a maximum severity score of 10.0, is a deserialization flaw that permits unauthenticated command injection, potentially leading to remote code execution (RCE). Fortra addressed this issue in versions 7.8.4 and the Sustain Release 7.6.3.
The Microsoft Threat Intelligence team explained that the flaw allows attackers with a forged license response signature to deserialize arbitrary objects, facilitating command injection and possible RCE. Storm-1175, recognized for deploying Medusa ransomware and exploiting public-facing applications for initial access, was observed leveraging this vulnerability in multiple organizations starting September 11, 2025. Notably, cybersecurity firm watchTowr reported signs of active exploitation as early as September 10.
Upon successful exploitation, attackers can conduct system and user reconnaissance, establish persistent access, and deploy tools for lateral movement and malware distribution. The attack sequence includes deploying remote monitoring and management (RMM) tools like SimpleHelp and MeshAgent to maintain persistence. Attackers have also been seen creating .jsp files within GoAnywhere MFT directories, coinciding with the deployment of RMM tools.
Subsequent steps involve executing commands for user, network, and system discovery, followed by using Windows Remote Desktop Connection (mstsc.exe) for lateral movement within the network. The RMM tools serve as command-and-control (C2) channels via a Cloudflare tunnel, with instances of Rclone usage for data exfiltration. Ultimately, these actions lead to the deployment of Medusa ransomware.
Benjamin Harris, CEO and Founder of watchTowr, highlighted the prolonged period of exploitation without clear communication from Fortra, emphasizing the need for transparency. He questioned how attackers obtained the private keys necessary for exploitation and why organizations were uninformed for an extended period. Harris urged Fortra to provide clarity so affected entities can assess their exposure to this actively exploited vulnerability.
