Microsoft has announced that the Storm-1175 group is actively exploiting a critical vulnerability in the Fortra GoAnywhere program (CVE-2025-10035) to deploy Medusa ransomware. The bug has received the maximum CVSS 10.0 severity rating and allows remote code execution without authentication. This is already one of the most serious incidents of the fall of 2025.
The vulnerability is a deserialization error that allows an attacker to forge a license signature, upload their own object to the system, and execute arbitrary commands.
According to the Microsoft Threat Intelligence team, the criminals gain initial access through open web applications and immediately implement RMM tools, including SimpleHelp and MeshAgent, to establish themselves on the system.
They then create .jsp files in the GoAnywhere directories, collect user, system, and network data, and then move across the network via mstsc.exe (Remote Desktop Connection).Control is via Cloudflare tunnels, and the use of the Rclone utility was recorded for data theft. The final stage of the attack is the deployment of Medusa ransomware.
According to watchTowr researchers, active exploitation of the vulnerability has been ongoing since at least September 10, 2025, meaning that companies have been victims long before official confirmation. Benjamin Harris, the founder of watchTowr, noted that “organizations have been under silent attack for over a month while the vendor Fortra has remained silent.” Medusa ransomware is known for its attacks on corporate environments that use public web interfaces and cloud services.
The Storm-1175 group, associated with previous LAPSUS$ and Scattered Spider campaigns, is actively abusing legitimate IT tools to covertly access corporate networks in 2025.
Fortra GoAnywhere MFT is a popular solution for secure file sharing, often used by large companies and government agencies. Similar vulnerabilities have previously caused large-scale data breaches.The GoAnywhere attack confirms that even software security solutions can be an entry point for attackers.
Organizations should immediately upgrade to version 7.8.4 or 7.6.3, check logs for suspicious activity, and ensure that RMM tools are not being used without administrators’ knowledge. Transparency and rapid response from vendors will be critical to cybersecurity in 2025.
