Fortra GoAnywhere MFT EUVD-2025-209539

| CVE-2025-1241 MEDIUM
Inadequate Encryption Strength (CWE-326)
2026-04-21 Fortra GHSA-fcmx-wcc5-gf8w
Information Disclosure Goanywhere Mft
5.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 21, 2026 - 16:31 vuln.today
Patch available
Apr 21, 2026 - 16:31 EUVD

DescriptionNVD

Encrypted values in Fortra's GoAnywhere MFT prior to version 7.10.0 and GoAnywhere Agents prior to version 2.2.0 utilize a static IV which allows admin users to brute-force decryption of data.

AnalysisAI

Fortra GoAnywhere MFT prior to version 7.10.0 and GoAnywhere Agents prior to version 2.2.0 use a static initialization vector (IV) for encryption, allowing authenticated administrative users to brute-force decryption of encrypted data. The vulnerability requires high-privilege access and computational effort but results in complete confidentiality loss of encrypted values. No public exploit code or active exploitation has been confirmed at time of analysis.

Technical ContextAI

This vulnerability stems from weak cryptographic implementation classified as CWE-326 (Inadequate Encryption Strength). Modern cipher modes require a unique, random IV for each encryption operation to prevent pattern analysis and brute-force attacks. GoAnywhere MFT's use of a static IV violates this principle, allowing an attacker with administrative credentials to accumulate encrypted values and systematically decrypt them by testing candidate plaintexts against the fixed IV. This weakness is particularly severe in data management solutions like GoAnywhere MFT, which handle sensitive file transfer credentials and configuration data. The affected CPE (cpe:2.3:a:fortra:goanywhere_mft:*:*:*:*:*:*:*:*) indicates all versions prior to 7.10.0 are vulnerable, as well as GoAnywhere Agents prior to 2.2.0.

RemediationAI

Upgrade GoAnywhere MFT to version 7.10.0 or later, and GoAnywhere Agents to version 2.2.0 or later. These versions implement cryptographically secure random initialization vectors for encryption. Consult Fortra's advisory FI-2026-001 at https://fortra.com/security/advisories/product-security/FI-2026-001 for patch delivery and deployment instructions. Until patching is completed, implement compensating controls: (1) Restrict administrative account access to only personnel who require it, using role-based access control; (2) Enable and monitor audit logging of all administrative activities, particularly encryption/decryption operations, to detect unauthorized brute-force attempts; (3) If technically feasible without breaking production workflows, rotate credentials stored within GoAnywhere MFT configuration to limit the window of exposure if decryption occurs; (4) Isolate GoAnywhere MFT instances on a network segment with restricted egress to reduce lateral movement risk if administrative credentials are compromised. Note that these controls mitigate but do not eliminate the underlying vulnerability.

Share

EUVD-2025-209539 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy