Skip to main content

GoAnywhere MFT EUVDEUVD-2026-24129

| CVE-2026-0972 MEDIUM
Improper Restriction of Excessive Authentication Attempts (CWE-307)
2026-04-21 Fortra GHSA-rpc6-m3h5-gmf2
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

8
Patch released
Apr 29, 2026 - 20:16 nvd
Patch available
Severity Changed
Apr 22, 2026 - 16:22 NVD
HIGH MEDIUM
CVSS changed
Apr 22, 2026 - 16:22 NVD
7.3 (HIGH) 5.4 (MEDIUM)
Patch available
Apr 21, 2026 - 16:31 EUVD
Analysis Generated
Apr 21, 2026 - 16:30 vuln.today
EUVD ID Assigned
Apr 21, 2026 - 14:30 euvd
EUVD-2026-24129
Analysis Generated
Apr 21, 2026 - 14:30 vuln.today
CVE Published
Apr 21, 2026 - 14:14 nvd
MEDIUM 5.4

DescriptionCVE.org

The login limit is not enforced on the SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User attempting to be logged in to is configured to log in with an SSH Key, making the SSH key vulnerable to being guessed via Brute Force.

AnalysisAI

SSH key brute-force attack against GoAnywhere MFT SFTP service allows remote unauthenticated attackers to compromise Web User accounts configured with SSH key authentication in versions prior to 7.10.0. The SFTP service fails to enforce login attempt limits when SSH key authentication is used, enabling attackers to programmatically guess private keys. EPSS and KEV data not provided; vendor Fortra disclosed this vulnerability directly (FI-2026-004).

Technical ContextAI

GoAnywhere MFT is an enterprise managed file transfer solution that supports SFTP (SSH File Transfer Protocol) for secure file operations. The vulnerability affects the SFTP authentication subsystem when Web Users are configured to authenticate via SSH public key cryptography rather than passwords. CWE-307 (Improper Restriction of Excessive Authentication Attempts) indicates the missing rate-limiting control allows unlimited SSH key authentication attempts. Unlike password-based authentication where failed login lockouts typically apply, the SFTP service in affected versions fails to throttle or block repeated SSH key presentation attempts against the same user account, creating a brute-force vector against the cryptographic key space.

RemediationAI

Upgrade GoAnywhere MFT to version 7.10.0 or later, which enforces login attempt limits on SFTP SSH key authentication attempts per vendor advisory FI-2026-004 (https://fortra.com/security/advisories/product-security/fi-2026-004). If immediate patching is not feasible, implement network-layer rate limiting on TCP port 22 (SFTP) using firewall rules or intrusion prevention systems to block IP addresses exceeding threshold authentication attempts per time window (e.g., 10 attempts per 5 minutes); this requires ongoing monitoring and may impact legitimate users during key rotation. Restrict SFTP service access to trusted IP ranges via firewall ACLs, eliminating internet exposure if remote access is unnecessary; this prevents external brute-force but limits business flexibility for partner file transfers. Audit existing SSH keys for strength: rotate any RSA keys under 3072 bits to 4096-bit RSA or Ed25519, and ensure encrypted private keys use strong passphrases (16+ characters); weak key remediation does not fix the rate-limiting vulnerability but reduces brute-force feasibility. Consider temporarily converting high-privilege Web Users to password authentication with MFA until patching completes, though this reduces operational security benefits of key-based authentication.

Share

EUVD-2026-24129 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy