Fortra, the manufacturer of the widely used GoAnywhere managed file transfer (MFT) tool, has once again found itself at the centre of a gathering cyber storm after Microsoft warned it was tracking mass exploitation of a recently patched vulnerability by a ransomware affiliate.
CVE-2025-10035 is a critical deserialisation flaw – bearing a CVSS score of 10.0 – in the GoAnywhere MFT licence servlet. Left unaddressed, it enables a threat actor who has obtained a validly forged licence response signature to deserialise an arbitrary, actor-controlled object.
Early reports suggest that an attacker does not need to authenticate if they can craft or intercept a valid licence response, making internet-exposed instances of GoAnywhere particularly vulnerable. Ultimately, exploitation can lead to command injection and remote code execution.
Fortra issued its own advisory, and a patch, on 18 September, but now, almost three weeks down the line, Microsoft said it had observed a cyber criminal actor it identifies as Storm-1175 – known for its use of Medusa ransomware – exploiting the Fortra flaw.
“Microsoft Defender researchers identified exploitation activity in multiple organisations aligned to tactics, techniques and procedures attributed to Storm-1175,” the Microsoft team said. “Related activity was observed on 11 September 2025.”
Microsoft said it had identified a multi-stage attack chain in which the original zero-day was exploited in the manner already detailed, after which the gang abused the SimpleHelp and MeshAgent remote monitoring and management (RMM) tools to maintain persistence.
Storm-1175 then ran user and system discovery commands and deployed tools such as netscan for network discovery, before using mstsc.exe to conduct lateral movement. Command and control is achieved with RMM tools, and the gang has even used a Cloudflare tunnel for secure communications. The use of Rclone was seen in at least one instance of data exfiltration, followed by the deployment of Medusa ransomware.
KnowBe4 lead chief information security officer advisor Javvad Malik said CVE-2025-10035 warranted immediate attention. “When a managed file transfer gateway receives a critical CVSS 10 rating, it should be treated as an immediate operational risk,” he said.
“Any vulnerability exposed to the internet can enable unauthorised access, and rapid progression to ransomware. While the usual advice of timely patching is important and remains true, it is important to consider the operational challenges many organisations have and to also architect for resilience.
“It’s also important that organisations align technical responses with business continuity,” said Malik. “This includes pre‑approved takedown decisions, stakeholder briefings, and customer notifications should be ready so you can act decisively.”
Although it has never really achieved the notoriety of Conti or LockBit, Medusa is a longstanding fixture in the ransomware “scene”, first emerging during the Covid-19 pandemic years when it hit multiple targets in the US healthcare industry during 2021, using coronavirus-themed lures.
Initially a closed ransomware operation, Medusa later pivoted to a ransomware-as-a-service model, and since 2023 has been able to capitalise on disruption to other gangs, including LockBit. Notably, it offers a “generous” commission structure, with affiliates receiving between 70% and 90% of the take.
These new affiliates spearheaded a surge in Medusa attacks earlier in 2025, with the UK disproportionately affected – Check Point data reveals that it accounted for 9% of observed British victims in the first quarter of 2025, compared with 2% in the rest of the world.