Cybercriminals are using the Medusa ransomware strain during exploitation of a vulnerability in a popular file transfer tool recently highlighted by federal cybersecurity officials.
Microsoft published a report on Monday analyzing exploitation activity in multiple organizations involving CVE-2025-10035 — a critical vulnerability in Fortra’s GoAnywhere managed file transfer solution.
The researchers attributed the activity to a cybercriminal group they call Storm-1175, noting that the threat actors are known for deploying the Medusa ransomware and for exploiting public-facing applications for initial access.
“The impact of CVE-2025-10035 is amplified by the fact that, upon successful exploitation, attackers could perform system and user discovery, maintain long-term access, and deploy additional tools for lateral movement and malware,” the company said.
After using the vulnerability for initial access, the hackers used the remote monitoring and management tools SimpleHelp and MeshAgent before moving laterally across systems within the compromised network.
The researchers said they saw the successful deployment of Medusa ransomware in one compromised environment.
Fortra initially warned the public about the bug on September 18, saying they discovered it the week before, but the company has continually declined to say if they are aware of it being exploited by cybercriminals. According to Microsoft, exploitation was observed on September 11, the same day Fortra said they discovered the bug.
Last week, the Cybersecurity and Infrastructure Security Agency (CISA) also confirmed that the vulnerability has been exploited and ordered all federal civilian agencies to patch the bug by October 20.
For weeks prior to CISA’s notice, cybersecurity experts at the security firm watchTowr warned GoAnywhere users that the vulnerability was being exploited. Company CEO Benjamin Harris told Recorded Future News that organizations running the file transfer tool “have effectively been under silent assault since at least September 11, with little clarity from Fortra.”
Fortra did not respond to requests for comment.
“Microsoft’s confirmation now paints a pretty unpleasant picture — exploitation, attribution, and a month-long head start for the attackers,” Harris said. “What’s still missing are the answers only Fortra can provide. How did threat actors get the private keys needed to exploit this? Why were organizations left in the dark for so long?”
The Medusa ransomware has been used to attack more than 300 organizations in critical infrastructure sectors since emerging in 2021, according to CISA and the FBI.
Medusa drew widespread attention in 2023 for an attack on Minneapolis Public Schools that exposed troves of sensitive student documents impacting more than 100,000 people.
In addition to attacks on the Pacific island nation of Tonga, it has targeted municipalities in France and government agencies in the Philippines as well as a technology company created by two of Canada’s largest banks.
Government bodies in Illinois and Texas have also been affected by the group’s attacks. The group most recently took credit for an attack on NASCAR.
Get more insights with the
Recorded Future
Intelligence Cloud.