The cybercrime group **Storm-1175** exploited a **critical zero-day vulnerability (CVE-2025-10035)** in **Fortra’s GoAnywhere MFT**, a secure file transfer tool, to deploy **Medusa ransomware**. The flaw, a **deserialization of untrusted data** in the License Servlet, allowed **remote, low-complexity attacks without user interaction**, enabling initial access. Attackers then used **RMM tools (SimpleHelp, MeshAgent)** for persistence, conducted **network reconnaissance (Netscan)**, and moved laterally via **RDP (mtsc.exe)**. Data was exfiltrated using **Rclone**, followed by **file encryption with Medusa ransomware**. The vulnerability was **actively exploited since September 10, 2025**, before Fortra’s patch on **September 18**. Over **500 exposed GoAnywhere MFT instances** were detected, though patching status remains unclear. **Microsoft confirmed Storm-1175’s involvement**, linking them to prior attacks on **300+ U.S. critical infrastructure organizations**. The attack chain disrupted operations, risked **sensitive data exposure**, and demanded **ransom payments**, aligning with Medusa’s history of **high-impact extortion**.
TPRM report: https://www.rankiteo.com/company/fortra
"id": "for2992029100625",
"linkid": "fortra",
"type": "Ransomware",
"date": "9/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': '300+ critical infrastructure '
'organizations (per CISA '
'advisory)',
'industry': 'Cybersecurity/File Transfer',
'location': 'Global',
'name': 'Fortra (GoAnywhere MFT)',
'type': 'Software Vendor'},
{'location': 'Primarily United States',
'name': 'Multiple Unnamed Organizations',
'type': ['Critical Infrastructure', 'Private Sector']}],
'attack_vector': ['Remote Code Execution (RCE)',
'Deserialization of Untrusted Data (CVE-2025-10035)',
'Abuse of RMM Tools (SimpleHelp, MeshAgent)'],
'customer_advisories': ['Patch immediately',
'Inspect logs for exploitation indicators'],
'data_breach': {'data_encryption': True, 'data_exfiltration': True},
'date_detected': '2025-09-10',
'date_publicly_disclosed': '2025-09-25',
'description': 'A cybercrime group, tracked as Storm-1175, has been actively '
'exploiting a maximum severity GoAnywhere MFT vulnerability '
'(CVE-2025-10035) in Medusa ransomware attacks since at least '
'September 11, 2025. The flaw, caused by a deserialization of '
'untrusted data weakness in the License Servlet, allows remote '
'exploitation in low-complexity attacks without user '
'interaction. Over 500 GoAnywhere MFT instances remain exposed '
'online, with unclear patching status. Storm-1175 abused RMM '
'tools (SimpleHelp, MeshAgent) for persistence, used Netscan '
'for reconnaissance, and deployed Rclone for data exfiltration '
'before encrypting files with Medusa ransomware. CISA, FBI, '
"and MS-ISAC previously warned of Medusa's impact on over 300 "
'U.S. critical infrastructure organizations.',
'impact': {'brand_reputation_impact': 'High (targeting critical '
'infrastructure)',
'data_compromised': True,
'identity_theft_risk': 'Potential (if PII was exfiltrated)',
'operational_impact': 'Significant (encryption of files, network '
'reconnaissance, data exfiltration)',
'systems_affected': 'Multiple (via lateral movement using '
'mtsc.exe)'},
'initial_access_broker': {'backdoors_established': ['SimpleHelp RMM',
'MeshAgent RMM'],
'entry_point': 'CVE-2025-10035 (GoAnywhere MFT '
'License Servlet)',
'high_value_targets': 'Critical infrastructure '
'organizations (300+ per '
'CISA)',
'reconnaissance_period': 'Likely began before '
'September 10, 2025 '
'(zero-day exploitation)'},
'investigation_status': 'Ongoing (Microsoft, Fortra, and law enforcement '
'active)',
'lessons_learned': ['Zero-day vulnerabilities in file transfer tools pose '
'high risks to critical infrastructure.',
'RMM tool abuse is a common persistence tactic in '
'ransomware attacks.',
'Proactive patching and log monitoring are critical for '
'vulnerability management.'],
'motivation': 'Financial Gain (Ransomware Extortion)',
'post_incident_analysis': {'corrective_actions': ['Mandatory patching for all '
'GoAnywhere MFT instances.',
'Enhanced monitoring for '
'RMM tool deployments.',
'Restriction of RDP '
'(mtsc.exe) usage to '
'authorized sessions.'],
'root_causes': ['Unpatched zero-day vulnerability '
'(CVE-2025-10035) in GoAnywhere '
'MFT.',
'Lack of behavioral detection for '
'RMM tool abuse.',
'Insufficient network segmentation '
'allowing lateral movement.']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': 'Medusa'},
'recommendations': ['Immediately patch GoAnywhere MFT instances to the latest '
'version.',
'Monitor logs for stack trace errors (e.g., '
'SignedObject.getObject).',
'Restrict RMM tool usage to authorized personnel only.',
'Implement network segmentation to limit lateral '
'movement.',
'Deploy behavioral detection for unusual RDP (mtsc.exe) '
'activity.'],
'references': [{'date_accessed': '2025-09-25',
'source': 'Microsoft Threat Intelligence'},
{'date_accessed': '2025-09-25',
'source': 'Shadowserver Foundation'},
{'date_accessed': '2025-09-17', 'source': 'WatchTowr Labs'},
{'date_accessed': '2025-03',
'source': 'CISA-FBI-MS-ISAC Joint Advisory'},
{'date_accessed': '2025-09-18',
'source': 'Fortra Security Advisory'}],
'regulatory_compliance': {'regulatory_notifications': ['CISA-FBI-MS-ISAC '
'Joint Advisory (March '
'2025)']},
'response': {'communication_strategy': ['Joint advisory by CISA, FBI, and '
'MS-ISAC (March 2025)',
'Microsoft and Fortra customer '
'notifications'],
'containment_measures': ['Patch deployment (GoAnywhere MFT '
'update)',
'Log inspection for stack trace errors '
'(SignedObject.getObject)'],
'enhanced_monitoring': 'Recommended (for stack trace errors and '
'lateral movement)',
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'remediation_measures': ['Upgrade to latest GoAnywhere MFT '
'versions',
'Remove unauthorized RMM tools '
'(SimpleHelp, MeshAgent)'],
'third_party_assistance': ['Microsoft Defender Team',
'Shadowserver Foundation',
'WatchTowr Labs']},
'stakeholder_advisories': ['CISA-FBI-MS-ISAC Joint Advisory (March 2025)',
'Fortra Customer Notification (September 2025)'],
'threat_actor': 'Storm-1175 (Medusa Ransomware Affiliate)',
'title': 'Storm-1175 Exploits GoAnywhere MFT Zero-Day (CVE-2025-10035) in '
'Medusa Ransomware Attacks',
'type': ['Ransomware Attack', 'Zero-Day Exploitation', 'Data Exfiltration'],
'vulnerability_exploited': 'CVE-2025-10035 (GoAnywhere MFT License Servlet '
'Deserialization Flaw)'}