Skip to main content

GoAnywhere MFT CVE-2025-14362

| EUVDEUVD-2025-209540 HIGH
Improper Restriction of Excessive Authentication Attempts (CWE-307)
2026-04-21 Fortra GHSA-9wqc-r42g-8qgm
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

7
Re-analysis Queued
Apr 23, 2026 - 14:37 vuln.today
cvss_changed
Patch released
Apr 23, 2026 - 14:16 nvd
Patch available
Patch available
Apr 21, 2026 - 16:31 EUVD
Analysis Generated
Apr 21, 2026 - 16:30 vuln.today
EUVD ID Assigned
Apr 21, 2026 - 14:30 euvd
EUVD-2025-209540
Analysis Generated
Apr 21, 2026 - 14:30 vuln.today
CVE Published
Apr 21, 2026 - 14:14 nvd
HIGH 7.3

DescriptionCVE.org

The login limit is not enforced on the SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User attempting to be logged in to is configured to log in with an SSH Key, making the SSH key vulnerable to being guessed via Brute Force.

AnalysisAI

SFTP authentication in GoAnywhere MFT prior to 7.10.0 allows remote unauthenticated attackers to bypass login attempt limits when targeting accounts configured with SSH key authentication, enabling brute force attacks against SSH private keys. The vulnerability affects the SFTP service specifically when Web Users are configured for SSH key-based login, exposing organizations to credential stuffing attacks. EPSS exploitation probability data not available; no evidence of active exploitation or public exploit code at time of analysis, though the attack vector is straightforward given network accessibility and low complexity (AV:N/AC:L/PR:N).

Technical ContextAI

GoAnywhere MFT is an enterprise managed file transfer solution supporting multiple protocols including SFTP. The vulnerability stems from CWE-307 (Improper Restriction of Excessive Authentication Attempts), where the platform's login throttling and account lockout mechanisms fail to apply to SFTP authentication attempts when SSH key-based authentication is configured for Web User accounts. SSH key authentication typically relies on public/private key cryptography, where the server validates a client's private key against stored public keys. Without rate limiting, attackers can perform unlimited authentication attempts to guess or brute force valid SSH keys, particularly if weak keys are in use. This bypass affects only the SFTP service path, suggesting the HTTP/web interface enforces limits correctly but SFTP authentication logic handles rate limiting separately and incompletely.

RemediationAI

Upgrade GoAnywhere MFT to version 7.10.0 or later, which enforces login attempt limits on SFTP authentication regardless of authentication method, as documented in Fortra advisory FI-2026-002 (https://fortra.com/security/advisories/product-security/FI-2026-002). Organizations unable to upgrade immediately should implement compensating controls: restrict SFTP service access to trusted IP ranges via firewall rules (eliminates internet-wide exposure but requires maintaining IP allowlists and breaks remote access workflows); disable SSH key authentication for Web Users and mandate password-based authentication with strong password policies (reduces attack surface but changes user authentication workflow and may conflict with automation requirements); deploy network-layer rate limiting via IDS/IPS or web application firewall to detect and block rapid authentication attempts against port 22/SFTP (provides defense in depth but requires tuning thresholds to avoid false positives for legitimate batch operations). Audit existing SSH keys for strength (minimum 2048-bit RSA, preferably 3072-bit or Ed25519) and rotate any keys generated by legacy tools or shorter than current standards.

Share

CVE-2025-14362 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy