Skip to content

Storm-1175 Exploits Critical GoAnywhere Vulnerability in Widespread Ransomware Attacks

Storm-1175's use of the CVE-2025-10035 vulnerability has led to a surge in Medusa ransomware attacks. Over 40 victims have been reported in just two months, including a US healthcare organization.

In the image there is a spider crawling on the web.
In the image there is a spider crawling on the web.

Storm-1175 Exploits Critical GoAnywhere Vulnerability in Widespread Ransomware Attacks

A critical deserialization vulnerability in Fortra's GoAnywhere MFT License Servlet Admin Console has been exploited by the notorious threat group Storm-1175, leading to widespread ransomware attacks. The vulnerability, CVE-2025-10035, has a CVSS score of 10.0 and allows for command injection and potential remote code execution.

Storm-1175, known for its use of Medusa ransomware, exploited the vulnerability a week before the official patch release. Following initial access, the group used legitimate remote monitoring and management tools for lateral movement and malware deployment. Microsoft has warned that the vulnerability is being actively exploited in ransomware attacks, with Medusa claiming over 40 victims in the first two months of 2025 alone, including a US healthcare organization. Since 2021, Medusa has snared over 300 global victims in critical infrastructure sectors. There are currently 513 GoAnywhere instances exposed, with 363 located in Florida. Microsoft urges GoAnywhere customers to upgrade to the latest version of the software and implement additional security measures.

The exploitation of CVE-2025-10035 by Storm-1175 has highlighted the urgent need for GoAnywhere customers to patch their systems and strengthen their security posture. With over 500 instances exposed and a high number of victims, the threat is real and ongoing.

Read also:

Latest