Overview

• Microsoft attributed exploitation of CVE-2025-10035 to the cybercriminal group Storm-1175 and said activity dates back to at least September 11.
• The intrusion chain included deployment of SimpleHelp and MeshAgent for persistence, use of netscan and mstsc.exe for discovery and lateral movement, and Rclone for data exfiltration, with Medusa ransomware observed in one environment.
• Fortra issued fixes on September 18 but its advisory does not acknowledge in-the-wild abuse, and customers are instructed to restrict Admin Console access and hunt for SignedObject.getObject errors in logs.
• The Shadowserver Foundation reports monitoring more than 500 GoAnywhere MFT instances exposed to the internet, raising concern about unpatched systems.
• Microsoft did not disclose the number of affected organizations or whether attacks continue, and U.S. agencies have previously warned that Medusa has impacted over 300 critical infrastructure entities.