Cybercriminal group Storm-1175 exploited CVE-2025-10035, a critical vulnerability in Fortra’s GoAnywhere Managed File Transfer (MFT) solution, to deploy Medusa ransomware. The attack began as early as September 11, with threat actors leveraging the flaw for initial access, followed by lateral movement using tools like SimpleHelp and MeshAgent. Microsoft confirmed successful ransomware deployment in at least one victim environment.The vulnerability allowed attackers to maintain long-term access, perform system/user discovery, and deploy additional malware. Despite Fortra’s awareness of the bug since September 18, the company failed to disclose active exploitation, leaving organizations vulnerable for weeks. CISA later mandated federal agencies to patch by October 20, while security firm watchTowr warned of ongoing 'silent assaults' targeting GoAnywhere users.Medusa ransomware, linked to over 300 attacks on critical infrastructure since 2021, has previously breached Minneapolis Public Schools (exposing 100,000+ records), government agencies in the Philippines/France, and NASCAR. The attack’s scale suggests widespread data compromise, though Fortra has not clarified how threat actors obtained private keys for exploitation or the full extent of the damage.
Source: https://therecord.media/medusa-ransomware-exploited-file-transfer
TPRM report: https://www.rankiteo.com/company/fortra
"id": "for2002120100725",
"linkid": "fortra",
"type": "Ransomware",
"date": "6/2021",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Cybersecurity / File Transfer Solutions',
'location': 'United States',
'name': 'Fortra (GoAnywhere MFT)',
'type': 'Technology Company'},
{'customers_affected': '100,000+ (students and staff)',
'industry': 'Education',
'location': 'Minneapolis, Minnesota, USA',
'name': 'Minneapolis Public Schools',
'type': 'Educational Institution'},
{'industry': 'Public Sector',
'location': 'Tonga',
'name': 'Government of Tonga',
'type': 'Government'},
{'industry': 'Public Sector',
'location': 'France',
'name': 'Municipalities in France',
'type': 'Local Government'},
{'industry': 'Public Sector',
'location': 'Philippines',
'name': 'Government Agencies in the Philippines',
'type': 'Government'},
{'industry': 'Finance / Technology',
'location': 'Canada',
'name': 'Technology Company (created by two of '
'Canada’s largest banks)',
'type': 'Financial Technology'},
{'industry': 'Public Sector',
'location': ['Illinois, USA', 'Texas, USA'],
'name': 'Government Bodies in Illinois and Texas',
'type': 'State Government'},
{'industry': 'Entertainment / Sports',
'location': 'USA',
'name': 'NASCAR',
'type': 'Sports Organization'},
{'industry': 'Public Sector',
'location': 'United States',
'name': 'Federal Civilian Agencies (USA)',
'type': 'Government'}],
'attack_vector': ['Exploitation of Public-Facing Application (CVE-2025-10035)',
'Remote Monitoring and Management (RMM) Tools (SimpleHelp, '
'MeshAgent)',
'Lateral Movement'],
'customer_advisories': ['Fortra Public Warning (September 18, 2025)',
'Urgent Patching Recommendations for GoAnywhere MFT '
'Users'],
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'number_of_records_exposed': '100,000+ (Minneapolis Public '
'Schools alone)',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (includes PII, student records, '
'government data)',
'type_of_data_compromised': ['Sensitive Student Documents '
'(Minneapolis Public Schools)',
'Potential PII and Corporate '
'Data (Other Victims)']},
'date_detected': '2025-09-11',
'date_publicly_disclosed': '2025-09-18',
'description': 'Cybercriminals (Storm-1175) exploited a critical '
"vulnerability (CVE-2025-10035) in Fortra's GoAnywhere managed "
'file transfer (MFT) solution to deploy Medusa ransomware. The '
'attack involved initial access via the vulnerability, lateral '
'movement using SimpleHelp and MeshAgent RMM tools, and '
'eventual ransomware deployment. The vulnerability was '
'discovered by Fortra on September 11, 2025, with exploitation '
'observed on the same day. CISA issued a directive on October '
'20, 2025, mandating federal agencies to patch the flaw. The '
'Medusa ransomware group has targeted over 300 organizations '
'globally, including critical infrastructure, municipalities, '
'and government agencies.',
'impact': {'brand_reputation_impact': True,
'data_compromised': True,
'identity_theft_risk': True,
'operational_impact': True,
'systems_affected': True},
'initial_access_broker': {'backdoors_established': True,
'entry_point': 'CVE-2025-10035 (GoAnywhere MFT '
'Vulnerability)',
'high_value_targets': ['Critical Infrastructure',
'Government Agencies',
'Financial Institutions',
'Educational Institutions']},
'investigation_status': 'Ongoing (as of October 2025)',
'lessons_learned': ['Delayed public disclosure by vendors can exacerbate '
'exploitation risks.',
'Critical vulnerabilities in file transfer tools pose '
'significant supply-chain risks.',
'RMM tools (e.g., SimpleHelp, MeshAgent) are increasingly '
'abused for lateral movement.',
'Proactive patching and threat intelligence sharing are '
'critical for mitigating ransomware risks.'],
'motivation': ['Financial Gain', 'Data Theft', 'Disruption'],
'post_incident_analysis': {'corrective_actions': ['Mandatory Patching (CISA '
'Directive)',
'Enhanced Monitoring for '
'RMM Tool Abuse',
'Improved Vendor '
'Transparency in '
'Vulnerability Disclosures',
'Incident Response Drills '
'for Ransomware Scenarios'],
'root_causes': ['Unpatched Critical Vulnerability '
'(CVE-2025-10035) in GoAnywhere '
'MFT',
'Delayed Public Disclosure by '
'Vendor (Fortra)',
'Abuse of Legitimate RMM Tools '
'(SimpleHelp, MeshAgent) for '
'Lateral Movement',
'Lack of Proactive Threat Hunting '
'for Early Detection']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': 'Medusa'},
'recommendations': ['Immediately patch CVE-2025-10035 in GoAnywhere MFT '
'deployments.',
'Monitor for signs of exploitation, including unusual RMM '
'tool usage.',
'Implement network segmentation to limit lateral '
'movement.',
'Enhance logging and detection for early signs of '
'ransomware activity.',
'Conduct regular third-party audits of file transfer '
'solutions.',
'Prepare incident response plans specifically for '
'ransomware scenarios.'],
'references': [{'date_accessed': '2025-10-20',
'source': 'Microsoft Threat Intelligence Report'},
{'date_accessed': '2025-10-20',
'source': 'CISA Binding Operational Directive 22-01',
'url': 'https://www.cisa.gov/news-events/directives'},
{'date_accessed': '2025-10',
'source': 'Recorded Future News (Interview with watchTowr CEO '
'Benjamin Harris)'},
{'source': 'FBI and CISA Advisory on Medusa Ransomware'}],
'regulatory_compliance': {'regulatory_notifications': ['CISA Directive '
'(Binding Operational '
'Directive 22-01)']},
'response': {'communication_strategy': ['CISA Directive (October 20, 2025)',
'Public Disclosure by Fortra '
'(September 18, 2025)',
'Microsoft Threat Report (October '
'2025)'],
'containment_measures': ['Patching (CVE-2025-10035)',
'Isolation of Affected Systems'],
'enhanced_monitoring': True,
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'third_party_assistance': ['Microsoft Threat Intelligence',
'watchTowr',
'CISA',
'FBI']},
'stakeholder_advisories': ['CISA Directive for Federal Agencies (Patch by '
'October 20, 2025)',
'Microsoft Threat Report (October 2025)',
'watchTowr Warnings (September 2025)'],
'threat_actor': 'Storm-1175 (associated with Medusa ransomware)',
'title': "Exploitation of CVE-2025-10035 in Fortra's GoAnywhere MFT Leading "
'to Medusa Ransomware Attacks',
'type': ['Ransomware', 'Vulnerability Exploitation', 'Data Breach'],
'vulnerability_exploited': 'CVE-2025-10035 (Critical vulnerability in '
"Fortra's GoAnywhere MFT)"}