Hackers have been observed using the Medusa ransomware to target a flaw in a popular file transfer application, a vulnerability recently flagged by federal cybersecurity authorities. 

Microsoft on Monday released a report detailing exploitation activity across several organizations linked to CVE-2025-10035, a critical flaw in Fortra’s GoAnywhere managed file transfer tool. 

According to the researchers, the attacks were carried out by a group they track as Storm-1175 — threat actors recognized for using Medusa ransomware and targeting exposed applications for entry. 

“The impact of CVE-2025-10035 is amplified by the fact that, upon successful exploitation, attackers could perform system and user discovery, maintain long-term access, and deploy additional tools for lateral movement and malware,” the company said. 

Following initial access through the vulnerability, threat actors utilized the SimpleHelp and MeshAgent RMM tools to expand their presence laterally within the affected network. 

Researchers reported observing a successful Medusa ransomware deployment within one of the compromised environments. 

Fortra first disclosed the vulnerability on September 18, noting it had been discovered a week earlier. However, the company has repeatedly declined to confirm whether cybercriminals have exploited it. Microsoft, meanwhile, reported observing exploitation on September 11 — the same day Fortra said it identified the bug. 

The Cybersecurity and Infrastructure Security Agency (CISA) confirmed last week that the vulnerability is being actively exploited and directed all federal civilian agencies to apply patches by October 20. 

CISA and the FBI report that since its emergence in 2021, the Medusa ransomware has been used in attacks against more than 300 critical infrastructure organizations. 

In addition to striking Tonga, the threat actors have carried out attacks against French municipalities, Philippine government bodies, and a Canadian technology company established by two major banks.