News has emerged of a cyber threat targeting enterprises that use Fortra’s GoAnywhere MFT, as Microsoft Threat Intelligence confirmed that Storm-1175, a known cybercriminal group, leveraged a high-severity vulnerability to launch sophisticated attacks. Storm-1175 reportedly accessed organizations’ systems to install malicious tools and deploy Medusa ransomware, affecting multiple sectors. Recent findings sparked concerns over transparency from Fortra, with security professionals and organizations calling for more effective communications regarding exploited vulnerabilities. Corporate security teams now face renewed pressure to reassess their cyber defense strategies as technical and procedural gaps become evident.
Microsoft’s recent disclosure builds on earlier industry reports about the GoAnywhere MFT vulnerability. Previously, security researchers shared indicators of compromise and discussed patterns of exploitation but there was often ambiguity surrounding the specific actors behind the activity. While earlier briefings laid out generic ransomware behaviors and potential impacts, the current analysis from Microsoft adds clarity by directly linking Storm-1175 to the timeline and technical details of the incident, which had been lacking from Fortra’s prior advisories and public statements.
How Did Storm-1175 Exploit GoAnywhere MFT?
Storm-1175 exploited the CVE-2025-10035 vulnerability in GoAnywhere MFT by gaining remote code execution capabilities. Using this access, the attackers installed remote monitoring tools, such as SimpleHelp and MeshAgent, and deployed web shells to move through targeted networks. According to Microsoft, these intrusions have involved data theft, with some incidents progressing to Medusa ransomware deployments.
“They used this access to install remote monitoring tools such as SimpleHelp and MeshAgent, drop web shells, to move laterally across networks using built-in Windows utilities,”
stated Sherrod DeGrippo, director of threat intelligence strategy at Microsoft.
What Role Did Fortra and Other Security Firms Play?
Fortra issued a security advisory about the flaw on September 18, after the vulnerability was already compromised. Despite the mounting evidence and confirmation from various cybersecurity firms, Fortra has not publicly acknowledged the ongoing exploitation. WatchTowr and other firms provided corroborating evidence, indicating attacker activity started at least a day prior to the official discovery. Federal authorities, including the Cybersecurity and Infrastructure Security Agency (CISA), have categorized the flaw as widely exploited.
“Organizations running GoAnywhere MFT have effectively been under silent assault since at least Sept. 11, with little clarity from Fortra,”
commented Ben Harris, founder and CEO at watchTowr.
Which Organizations Are at Risk from These Attacks?
Storm-1175’s campaigns appear to target a broad range of sectors. Microsoft noted victims in transportation, education, retail, insurance, and manufacturing. The attackers often use legitimate management tools blended with stealthy techniques to avoid detection and increase the chances of monetizing breaches through extortion. The full extent of the compromise remains unclear, as researchers have not disclosed the total number of affected organizations. Security authorities have drawn parallels to a similar GoAnywhere exploit from two years ago, which impacted more than 100 entities worldwide.
The handling of this situation highlights recurring problems in timely vulnerability communication and the importance of threat attribution for organizational risk management. Direct links to Storm-1175 provide incident response teams with actionable intelligence, which was missing in earlier reports on GoAnywhere vulnerabilities. Unlike generic advisories, this targeted analysis underscores the necessity for both promptly published technical details and vendor transparency in defending against advanced, financially-minded threat groups. Organizations using third-party file transfer solutions like GoAnywhere should prioritize regular patching, continuous monitoring for suspicious activity, and engaging with current threat intelligence sources for effective risk mitigation.
