Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Lifecycle Timeline
6DescriptionCVE.org
An improper session timeout issue in Fortra's GoAnywhere MFT prior to version 7.10.0 results in SAML configured Web Users being redirected to the regular login page instead of the SAML login page.
AnalysisAI
Improper session timeout handling in Fortra GoAnywhere MFT prior to version 7.10.0 allows unauthenticated remote attackers to bypass SAML authentication and redirect users to the regular login page, potentially enabling credential harvesting or session hijacking attacks. The vulnerability requires user interaction (clicking a malicious link or visiting a crafted URL) but affects all web users configured with SAML single sign-on, creating an information disclosure risk through unexpected authentication flow exposure.
Technical ContextAI
The vulnerability is rooted in CWE-613 (Insufficient Session Expiration), a class of flaws where session management mechanisms fail to properly invalidate or refresh security context after timeout events. In GoAnywhere MFT, SAML-configured web users should be transparently redirected to the SAML identity provider login flow; instead, the session timeout mechanism incorrectly routes them to the standard application login page. This breaks the intended SAML authentication chain and exposes the regular login interface to users who should only access SAML-protected resources. The affected product is Fortra's GoAnywhere MFT (CPE: cpe:2.3:a:fortra:goanywhere_mft), a managed file transfer solution commonly deployed in enterprise environments for secure data exchange.
RemediationAI
Upgrade Fortra GoAnywhere MFT to version 7.10.0 or later immediately. This is the only vendor-released patch confirmed to address the session timeout handling defect. If immediate patching is not feasible, organizations should implement compensating controls: (1) enforce IP-based session restrictions to limit session reuse across geographic locations, (2) disable or strictly monitor the regular login page for SAML-configured users via access control lists, (3) enable detailed audit logging of authentication events to detect anomalous login patterns, and (4) provide security awareness training to users about the expected SAML login flow to reduce susceptibility to credential harvesting. Note that compensating controls do not eliminate the underlying vulnerability and should be temporary pending patching. See Fortra security advisory FI-2025-013 for additional details and deployment guidance.
More in Goanywhere Mft
View allSFTP authentication in GoAnywhere MFT prior to 7.10.0 allows remote unauthenticated attackers to bypass login attempt li
User-controlled HTTP headers in Fortra GoAnywhere MFT prior to version 7.10.0 enable remote unauthenticated attackers to
Fortra GoAnywhere MFT prior to version 7.10.0 and GoAnywhere Agents prior to version 2.2.0 use a static initialization v
SSH key brute-force attack against GoAnywhere MFT SFTP service allows remote unauthenticated attackers to compromise Web
Same weakness CWE-613 – Insufficient Session Expiration
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24128
GHSA-436j-4grc-7cjp