How to fix CVE-2025-14362?

Within 24 hours: Inventory all GoAnywhere MFT instances and identify those running versions prior to 7.10.0 with SSH key authentication enabled; document affected SFTP accounts. Within 7 days: Contact GoAnywhere/Fortra for patch availability and timeline; implement IP whitelisting or network segmentation to restrict SFTP access to trusted networks only. Within 30 days: Upgrade to GoAnywhere MFT 7.10.0 or later once available; if unavailable, enforce additional rate limiting at the network perimeter (WAF/proxy-level) and require multi-factor authentication for SFTP sessions where feasible.

Is GoAnywhere MFT affected by CVE-2025-14362?

GoAnywhere MFT versions prior to 7.10.0 contain an authentication bypass flaw in SFTP that allows remote attackers to circumvent login attempt rate limiting on SSH key-authenticated accounts, enabling large-scale brute force attacks against private key credentials.

GoAnywhere MFT CVE-2025-14362

EUVD-2025-209540 HIGH

Improper Restriction of Excessive Authentication Attempts (CWE-307)

2026-04-21 Fortra

GHSA-9wqc-r42g-8qgm

Information Disclosure Goanywhere Mft

7.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Patch available

Apr 21, 2026 - 16:31 EUVD

Analysis Generated

Apr 21, 2026 - 16:30 vuln.today

DescriptionNVD

The login limit is not enforced on the SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User attempting to be logged in to is configured to log in with an SSH Key, making the SSH key vulnerable to being guessed via Brute Force.

AnalysisAI

SFTP authentication in GoAnywhere MFT prior to 7.10.0 allows remote unauthenticated attackers to bypass login attempt limits when targeting accounts configured with SSH key authentication, enabling brute force attacks against SSH private keys. The vulnerability affects the SFTP service specifically when Web Users are configured for SSH key-based login, exposing organizations to credential stuffing attacks. EPSS exploitation probability data not available; no evidence of active exploitation or public exploit code at time of analysis, though the attack vector is straightforward given network accessibility and low complexity (AV:N/AC:L/PR:N).

Technical ContextAI

GoAnywhere MFT is an enterprise managed file transfer solution supporting multiple protocols including SFTP. The vulnerability stems from CWE-307 (Improper Restriction of Excessive Authentication Attempts), where the platform's login throttling and account lockout mechanisms fail to apply to SFTP authentication attempts when SSH key-based authentication is configured for Web User accounts. SSH key authentication typically relies on public/private key cryptography, where the server validates a client's private key against stored public keys. Without rate limiting, attackers can perform unlimited authentication attempts to guess or brute force valid SSH keys, particularly if weak keys are in use. This bypass affects only the SFTP service path, suggesting the HTTP/web interface enforces limits correctly but SFTP authentication logic handles rate limiting separately and incompletely.

RemediationAI

Upgrade GoAnywhere MFT to version 7.10.0 or later, which enforces login attempt limits on SFTP authentication regardless of authentication method, as documented in Fortra advisory FI-2026-002 (https://fortra.com/security/advisories/product-security/FI-2026-002). Organizations unable to upgrade immediately should implement compensating controls: restrict SFTP service access to trusted IP ranges via firewall rules (eliminates internet-wide exposure but requires maintaining IP allowlists and breaks remote access workflows); disable SSH key authentication for Web Users and mandate password-based authentication with strong password policies (reduces attack surface but changes user authentication workflow and may conflict with automation requirements); deploy network-layer rate limiting via IDS/IPS or web application firewall to detect and block rapid authentication attempts against port 22/SFTP (provides defense in depth but requires tuning thresholds to avoid false positives for legitimate batch operations). Audit existing SSH keys for strength (minimum 2048-bit RSA, preferably 3072-bit or Ed25519) and rotate any keys generated by legacy tools or shorter than current standards.

CVE-2025-14362 vulnerability details – vuln.today

Back