Microsoft Threat Intelligence said a cybercriminal group it tracks as Storm-1175 exploited a maximum-severity vulnerability in Fortra’s GoAnywhere managed file transfer (MFT) product to initiate multi-stage attacks that included ransomware, and that researchers observed the malicious activity on Sept. 11.
Microsoft’s findings add to intelligence indicating the defect was used as a zero-day before Fortra disclosed and patched CVE-2025-10035 on Sept. 18. Fortra has not confirmed that the vulnerability was under active exploitation and did not answer questions or provide further information after it updated its security advisory on Sept. 18 to include indicators of compromise.
According to Microsoft, the group exploited CVE-2025-10035 to achieve remote code execution, then installed remote monitoring tools such as SimpleHelp and MeshAgent, dropped web shells and moved laterally using built-in Windows utilities. “In at least one instance, the intrusion led to data theft via Rclone and a Medusa ransomware deployment,” Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, told the reporting outlet in an email.
Microsoft’s analysis bolsters research from other firms, including watchTowr, which reported evidence of active exploitation dating to Sept. 10. Ben Harris, founder and CEO at watchTowr, said Microsoft’s linkage to a known Medusa affiliate confirmed concerns about exploitation and left unanswered questions that only Fortra can address.
Federal cyber authorities also acknowledge active exploitation. The Cybersecurity and Infrastructure Security Agency added CVE-2025-10035 to its known exploited vulnerabilities catalog on Sept. 29 and noted the defect has been used in ransomware campaigns.
Microsoft said the attacks appear opportunistic and have affected organisations in transportation, education, retail, insurance and manufacturing. Researchers have not disclosed how many organisations have been impacted; the article noted Fortra customers experienced a widely exploited zero-day in the same product two years ago that affected more than 100 organisations. “Customers deserve transparency, not silence,” Harris said.