Microsoft on Monday determined that the attacker it tracks as Storm-1175 was a exploiting a serious security flaw in the Fortra GoAnywhere software to facilitate deployment of Medusa ransomware.
This vulnerability is CVE-2025-10035 (CVSS score: 10.0) and is a critical deserialization bug that can cause command injection without authentication. This issue was resolved in version 7.8.4 or Sustain release 7.6.3.
“The vulnerability could allow an attacker with a validly forged license response signature to deserialize any object controlled by the attacker, which could lead to command injection and remote code execution (RCE),” the Microsoft Threat Intelligence team said.
According to the technology giant, Storm-1175 is a cybercrime group known for deploying Medusa ransomware since September 11, 2025 and exploiting published applications for early access. It is worth noting that watchTowr revealed last week that there have been signs of the flaw being actively exploited since at least September 10th.
Additionally, successful exploiting CVE-2025-10035 could result in attackers performing system and user detection, maintaining long-term access, and deploying additional tools for horizontal movement and malware.
Attack chains following initial access require the drop of remote monitoring and management (RMM) tools such as SimpleHelp and MeshAgent to maintain persistence. It has also been observed that attackers often create .jsp files in the GoAnywhere MFT directory at the same time as the RMM tool is dropped.
The next phase involves user, network, and system discovery commands followed by horizontal movement of the entire network using mstsc.exe (i.e. Windows Remote Desktop Connection).
The downloaded RMM tool was used for command and control (C2) using Cloudflare tunnels, and Microsoft has observed that Rclone is being used for data leakage in at least one damaged environment. This attack ultimately paves the way for the deployment of Medusa ransomware.
“The organization that runs GoAnywhere MFT has been virtually silent assaulted since at least September 11th, but little has been revealed from Fortra,” said Benjamin Harris, CEO and founder of watchTowr. “Microsoft’s confirmation highlighted a very unpleasant situation of misuse, belongings and a month-long head start for attackers.
“What’s still missing is the answer only Fortra can provide. How did attackers get the private key needed to exploit this? Why have organizations been buried in the dark for so long? Customers need transparency rather than silence. We hope that the affected or likely to be affected will be shared in the near future so that they can understand their exposure to vulnerabilities that are actually actively exploited.”
Source link
