Improper Access Control in SFTP service of GoAnywhere MFT

FI-2025-013 - Improper Access Control in SFTP service of GoAnywhere MFT

Severity

Medium

Published Date

05-Dec-2025

Updated Date

05-Dec-2025

Vulnerabilities

CVE-2025-8148

Notes

Description

An Improper Access Control in the SFTP service in Fortra's GoAnywhere MFT prior to version 7.9.0 allows Web Users with an Authentication Alias and a valid SSH key but limited to Password authentication for SFTP to still login using their SSH key.

Vulnerabilities

Improper Access Control in SFTP service of GoAnywhere MFT

Severity

Medium

CVE

CVE-2025-8148

CWE

CWE-732, CWE-863:Incorrect Permission Assignment, Incorrect Authorization

Discovery Date

17-Nov-2023

CSSv3.1

4.2 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N)

Affected Products

GoAnywhere MFT

Vulnerability Notes

Remediation: Mitigation

Remove any SSH Keys assigned to Web Users that are configured for Password-only authentication to the SFTP service.

Remediation: Vendor Fix

Upgrade to remediated version.

References

(https://www.cve.org/cverecord?id=CVE-2025-8148)

Acknowledgements

Fortra would like to thank the following individuals:

Patrick März , systematik GmbH (https://www.systematik.de/)

Improper Access Control in SFTP service of GoAnywhere MFT

FI-2025-013 - Improper Access Control in SFTP service of GoAnywhere MFT

Notes

Vulnerabilities

Vulnerability Notes

References

Acknowledgements

Privacy Policy

Cookie Policy

Terms of Service

Accessibility

Impressum