GoAnywhere MFT CVE-2026-0972

| EUVD-2026-24129 HIGH
Improper Restriction of Excessive Authentication Attempts (CWE-307)
2026-04-21 Fortra GHSA-rpc6-m3h5-gmf2
Information Disclosure Goanywhere Mft
7.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Patch available
Apr 21, 2026 - 16:31 EUVD
Analysis Generated
Apr 21, 2026 - 16:30 vuln.today

DescriptionNVD

The login limit is not enforced on the SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User attempting to be logged in to is configured to log in with an SSH Key, making the SSH key vulnerable to being guessed via Brute Force.

AnalysisAI

SSH key brute-force attack against GoAnywhere MFT SFTP service allows remote unauthenticated attackers to compromise Web User accounts configured with SSH key authentication in versions prior to 7.10.0. The SFTP service fails to enforce login attempt limits when SSH key authentication is used, enabling attackers to programmatically guess private keys. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Identify all GoAnywhere MFT instances running versions prior to 7.10.0 and audit SSH key authentication configuration for Web User accounts. Within 7 days: Upgrade to GoAnywhere MFT 7.10.0 or later, or implement network-level SSH brute-force protection (connection rate limiting, IP blacklisting). …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-0972 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy