Microsoft Links ‘Active Exploitation’ Of GoAnywhere To Cybercrime Group

The threat actor, tracked as Storm-1175, has previously been characterized by Microsoft as a financially motivated group based in China.

Microsoft disclosed Monday that it has observed “active exploitation” of a maximum-severity vulnerability impacting Fortra’s GoAnywhere file transfer platform.

The disclosure — which confirms previous reporting by researchers at cybersecurity vendor watchTowr — links at least some of the attacks against GoAnywhere customers to a cybercriminal group tracked as Storm-1175.

[Related: 10 Major Cyberattacks And Data Breaches In 2025 (So Far)]

Previously, Microsoft researchers have characterized Storm-1175 as a financially motivated group based in China, though the country is not mentioned in the post Monday or in a prior post from July 2024 mentioning the group.

In the blog post Monday, Microsoft researchers said that the GoAnywhere vulnerability (tracked as CVE-2025-10035) — which has received a severity rating of 10.0 out of 10.0 — has seen “exploitation activity in multiple organizations aligned to tactics, techniques, and procedures (TTPs) attributed to Storm-1175.”

The group is “known for deploying Medusa ransomware and exploiting public-facing applications for initial access [and] was observed exploiting the vulnerability,” the Microsoft researchers said.

CRN has reached out to Fortra for comment.

The critical GoAnywhere vulnerability was disclosed by Fortra on Sept. 18, though without any mention of exploitation activity.

In a post Sept. 26, watchTowr researchers wrote that they had received “credible evidence of in-the-wild exploitation” of the vulnerability, which can be exploited to enable remote injection of commands without a user needing to authenticate.

Notably, the evidence suggests that attacks exploiting the GoAnywhere flaw began as far back as Sept. 10, according to the watchTowr researchers.

“That is eight days before Fortra’s public advisory, published September 18,” the researchers wrote in the post Sept. 26.

Fortra said that the vulnerability was discovered Sept. 11. Fixes are available for the vulnerability in the updated version 7.8.4 (or the sustain release version 7.6.3).

The cybersecurity and business software vendor previously saw widespread attacks targeting GoAnywhere in early 2023, when a zero-day vulnerability was exploited to steal data from numerous large organizations.