390/68 Wednesday, October 8, 2025
Microsoft has disclosed that a cybercriminal group tracked as Storm-1175 has been exploiting a critical vulnerability (CVSS 10.0) in Fortra’s GoAnywhere MFT (Managed File Transfer) software to conduct Medusa ransomware attacks for nearly a month. The flaw, tracked as CVE-2025-10035, stems from the deserialization of untrusted data within the software’s License Servlet component. It allows remote exploitation with low complexity and no user interaction, making it an extremely severe threat to organizations using the tool.
According to Microsoft, Storm-1175-a network associated with Medusa ransomware-began leveraging this Zero-Day around September 10–11, 2025 to gain initial access. Once inside, attackers deployed remote monitoring and management (RMM) tools such as SimpleHelp and MeshAgent to maintain persistence. They then scanned networks, gathered user and system information, and moved laterally using tools like Microsoft Remote Desktop Connection (mstsc.exe). The attackers also employed Rclone to exfiltrate files before finally deploying the Medusa ransomware to encrypt victims’ data as the last stage of the attack.
To mitigate these attacks, both Microsoft and Fortra strongly urge administrators to immediately upgrade GoAnywhere MFT to the latest version. Fortra released a patch addressing the flaw on September 18, 2025. Additionally, Fortra advises customers to inspect their log files for signs of compromise—specifically checking for the error string “SignedObject.getObject” in stack traces, which indicates potential exploitation. Prompt action is deemed critical to reducing the risk posed by this active ransomware campaign.
