Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
8DescriptionCVE.org
The login limit is not enforced on the SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User attempting to be logged in to is configured to log in with an SSH Key, making the SSH key vulnerable to being guessed via Brute Force.
AnalysisAI
SSH key brute-force attack against GoAnywhere MFT SFTP service allows remote unauthenticated attackers to compromise Web User accounts configured with SSH key authentication in versions prior to 7.10.0. The SFTP service fails to enforce login attempt limits when SSH key authentication is used, enabling attackers to programmatically guess private keys. EPSS and KEV data not provided; vendor Fortra disclosed this vulnerability directly (FI-2026-004).
Technical ContextAI
GoAnywhere MFT is an enterprise managed file transfer solution that supports SFTP (SSH File Transfer Protocol) for secure file operations. The vulnerability affects the SFTP authentication subsystem when Web Users are configured to authenticate via SSH public key cryptography rather than passwords. CWE-307 (Improper Restriction of Excessive Authentication Attempts) indicates the missing rate-limiting control allows unlimited SSH key authentication attempts. Unlike password-based authentication where failed login lockouts typically apply, the SFTP service in affected versions fails to throttle or block repeated SSH key presentation attempts against the same user account, creating a brute-force vector against the cryptographic key space.
RemediationAI
Upgrade GoAnywhere MFT to version 7.10.0 or later, which enforces login attempt limits on SFTP SSH key authentication attempts per vendor advisory FI-2026-004 (https://fortra.com/security/advisories/product-security/fi-2026-004). If immediate patching is not feasible, implement network-layer rate limiting on TCP port 22 (SFTP) using firewall rules or intrusion prevention systems to block IP addresses exceeding threshold authentication attempts per time window (e.g., 10 attempts per 5 minutes); this requires ongoing monitoring and may impact legitimate users during key rotation. Restrict SFTP service access to trusted IP ranges via firewall ACLs, eliminating internet exposure if remote access is unnecessary; this prevents external brute-force but limits business flexibility for partner file transfers. Audit existing SSH keys for strength: rotate any RSA keys under 3072 bits to 4096-bit RSA or Ed25519, and ensure encrypted private keys use strong passphrases (16+ characters); weak key remediation does not fix the rate-limiting vulnerability but reduces brute-force feasibility. Consider temporarily converting high-privilege Web Users to password authentication with MFA until patching completes, though this reduces operational security benefits of key-based authentication.
More in Goanywhere Mft
View allSFTP authentication in GoAnywhere MFT prior to 7.10.0 allows remote unauthenticated attackers to bypass login attempt li
User-controlled HTTP headers in Fortra GoAnywhere MFT prior to version 7.10.0 enable remote unauthenticated attackers to
Fortra GoAnywhere MFT prior to version 7.10.0 and GoAnywhere Agents prior to version 2.2.0 use a static initialization v
Improper session timeout handling in Fortra GoAnywhere MFT prior to version 7.10.0 allows unauthenticated remote attacke
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24129
GHSA-rpc6-m3h5-gmf2