Skip to main content

Goanywhere Managed File Transfer

8 CVEs product

Monthly

CVE-2025-8148 MEDIUM PATCH This Month

An Improper Access Control in the SFTP service in Fortra's GoAnywhere MFT prior to version 7.9.0 allows Web Users with an Authentication Alias and a valid SSH key but limited to Password authentication for SFTP to still login using their SSH key.

Information Disclosure Goanywhere Managed File Transfer
NVD
CVSS 3.1
4.2
EPSS
0.0%
CVE-2025-10035 CRITICAL POC KEV THREAT Emergency

Fortra GoAnywhere MFT contains a deserialization vulnerability in the License Servlet allowing command injection through crafted license response signatures.

Command Injection Deserialization Goanywhere Managed File Transfer
NVD
CVSS 3.1
10.0
EPSS
58.8%
Threat
6.8
CVE-2025-0049 LOW Monitor

When a Web User without Create permission on subfolders attempts to upload a file to a non-existent directory, the error message includes the absolute server path which may allow Fuzzing for. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Goanywhere Managed File Transfer
NVD
CVSS 3.1
3.5
EPSS
0.2%
CVE-2024-11922 MEDIUM This Month

Missing input validation in certain features of the Web Client of Fortra's GoAnywhere prior to version 7.8.0 allows an attacker with permission to trigger emails to insert arbitrary HTML or. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Goanywhere Managed File Transfer
NVD
CVSS 3.1
6.3
EPSS
0.1%
CVE-2024-25157 MEDIUM This Month

An authentication bypass vulnerability in GoAnywhere MFT prior to 7.6.0 allows Admin Users with access to the Agent Console to circumvent some permission checks when attempting to visit other pages. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Information Disclosure Goanywhere Managed File Transfer
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2024-25156 MEDIUM This Month

A path traversal vulnerability exists in GoAnywhere MFT prior to 7.4.2 which allows attackers to circumvent endpoint-specific permission checks in the GoAnywhere Admin and Web Clients. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Goanywhere Managed File Transfer
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2024-0204 CRITICAL POC THREAT Emergency

Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Goanywhere Managed File Transfer
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
95.1%
CVE-2023-0669 HIGH POC KEV PATCH THREAT Act Now

Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Command Injection Deserialization Goanywhere Managed File Transfer
NVD GitHub Exploit-DB
CVSS 3.1
7.2
EPSS
100.0%
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

An Improper Access Control in the SFTP service in Fortra's GoAnywhere MFT prior to version 7.9.0 allows Web Users with an Authentication Alias and a valid SSH key but limited to Password authentication for SFTP to still login using their SSH key.

Information Disclosure Goanywhere Managed File Transfer
NVD
EPSS 59% 6.8 CVSS 10.0
CRITICAL POC KEV THREAT Emergency

Fortra GoAnywhere MFT contains a deserialization vulnerability in the License Servlet allowing command injection through crafted license response signatures.

Command Injection Deserialization Goanywhere Managed File Transfer
NVD
EPSS 0% CVSS 3.5
LOW Monitor

When a Web User without Create permission on subfolders attempts to upload a file to a non-existent directory, the error message includes the absolute server path which may allow Fuzzing for. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Goanywhere Managed File Transfer
NVD
EPSS 0% CVSS 6.3
MEDIUM This Month

Missing input validation in certain features of the Web Client of Fortra's GoAnywhere prior to version 7.8.0 allows an attacker with permission to trigger emails to insert arbitrary HTML or. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Goanywhere Managed File Transfer
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

An authentication bypass vulnerability in GoAnywhere MFT prior to 7.6.0 allows Admin Users with access to the Agent Console to circumvent some permission checks when attempting to visit other pages. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Information Disclosure Goanywhere Managed File Transfer
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

A path traversal vulnerability exists in GoAnywhere MFT prior to 7.4.2 which allows attackers to circumvent endpoint-specific permission checks in the GoAnywhere Admin and Web Clients. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Goanywhere Managed File Transfer
NVD
EPSS 95% CVSS 9.8
CRITICAL POC THREAT Emergency

Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Goanywhere Managed File Transfer
NVD Exploit-DB
EPSS 100% CVSS 7.2
HIGH POC KEV PATCH THREAT Act Now

Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Command Injection Deserialization Goanywhere Managed File Transfer
NVD GitHub Exploit-DB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy