Analysis

A cybercrime group, tracked as Storm-1175, has been actively exploiting a maximum severity GoAnywhere MFT vulnerability in Medusa ransomware attacks for nearly a month. Tracked as CVE-2025-10035, this security flaw impacts Fortra's web-based secure transfer GoAnywhere MFT tool, caused by a deserialization of untrusted data weakness in the License Servlet. This vulnerability can be exploited remotely in low-complexity attacks that don't require user interaction. Security analysts at the Shadowserver Foundation are now monitoring over 500 GoAnywhere MFT instances exposed online, although it's unclear how many have already been patched. While Fortra patched the vulnerability on September 18 without mentioning active exploitation, security researchers at WatchTowr Labs tagged it as exploited in the wild one week later, after receiving "credible evidence" that CVE-2025-10035 had been leveraged as a zero-day since September 10. Exploited in Medusa ransomware attacks Today, Microsoft confirmed WatchTowr Labs' report, stating that a known Medusa ransomware affiliate it tracks as Storm-1175 has been exploiting this vulnerability in attacks since at least September 11, 2025. "Microsoft Defender researchers identified exploitation activity in multiple organizations aligned to tactics, techniques, and procedures (TTPs) attributed to Storm-1175," Microsoft said. "For initial access, the threat actor exploited the then-zero-day deserialization vulnerability in GoAnywhere MFT. To maintain persistence, they abused remote monitoring and management (RMM) tools, specifically SimpleHelp and MeshAgent." In the next stage of the attack, the ransomware affiliate launched the RMM binaries, utilized Netscan for network reconnaissance, executed commands for user and system discovery, and moved laterally through the compromised network to multiple systems using the Microsoft Remote Desktop Connection client (mtsc.exe). During the attack, they also deployed Rclone in at least one victim's environment to exfiltrate stolen files and deployed Medusa ransomware payloads to encrypt victims' files. In March, CISA issued a joint advisory with the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC), warning that the Medusa ransomware operation had impacted over 300 critical infrastructure organizations across the United States. Together with three other cybercrime gangs, the Storm-1175 threat group was also linked by Microsoft in July 2024 to attacks exploiting a VMware ESXi authentication bypass vulnerability that had led to the deployment of Akira and Black Basta ransomware. To defend against Medusa ransomware attacks targeting their GoAnywhere MFT servers, Microsoft and Fortra advised admins to upgrade to the latest versions. Fortra also asked customers to inspect their log files for stack trace errors with the SignedObject.getObject string to determine if instances have been impacted. The Security Validation Event of the Year: The Picus BAS Summit Join the Breach and Attack Simulation Summit and experience the future of security validation. Hear from top experts and see how AI-powered BAS is transforming breach and attack simulation. Don't miss the event that will shape the future of your security strategy Post a Comment Community Rules You need to login in order to post a comment Not a member yet? Register Now A critical zero-day vulnerability, CVE-2025-10035, affecting Fortra's GoAnywhere MFT tool, is being actively exploited by the Storm-1175 cybercrime group. This deserialization flaw, exploited since at least September 10, 2025, facilitates Medusa ransomware attacks and data exfiltration. Microsoft (MSFT) confirmed this widespread exploitation, identifying the group's tactics, techniques, and procedures (TTPs) across multiple organizations. The Storm-1175 group demonstrates sophisticated capabilities, employing RMM tools for persistence, Netscan for reconnaissance, and Rclone for data exfiltration. Notably, this group was previously implicated by Microsoft in July 2024 for exploiting a VMware ESXi (VMW) vulnerability, targeting critical infrastructure and deploying other ransomware variants like Akira and Black Basta. The Medusa ransomware operation itself has already impacted over 300 critical infrastructure organizations in the US. The ongoing exploitation of a widely used MFT solution presents significant operational and data security risks for enterprises, particularly those in critical infrastructure sectors. Fortra and Microsoft advise immediate upgrades to the latest GoAnywhere MFT versions and log inspections for specific stack trace errors to identify compromise. The overall market sentiment is extremely negative (-0.9) with a high market impact (0.7), reflecting the severity of this persistent cybersecurity threat.