Encryption vulnerable to brute-force decryption in GoAnywhere MFT

FI-2026-001 - Encryption vulnerable to brute-force decryption in GoAnywhere MFT

Severity

Medium

Published Date

21-Apr-2026

Updated Date

21-Apr-2026

Vulnerabilities

CVE-2025-1241

Notes

Description

Encrypted values in Fortra's GoAnywhere MFT prior to version 7.10.0 and GoAnywhere Agents prior to version 2.2.0 utilize a static IV which allows admin users to brute-force decryption of data.

Vulnerabilities

Encryption vulnerable to brute-force decryption in GoAnywhere MFT

Severity

Medium

CVE

CVE-2025-1241

CWE

CWE-326:Inadequate Encryption Strength

Discovery Date

17-Nov-2023

CSSv3.1

5.8 (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N)

Affected Products

GoAnywhere MFT

Vulnerability Notes

Remediation: Vendor Fix

Upgrade to patched version

Remediation: Mitigation

Fortra recommends restricting access to the Admin client to a limited number users who perform administrative work.

References

(https://www.cve.org/cverecord?id=CVE-2025-1241)

Encryption vulnerable to brute-force decryption in GoAnywhere MFT

FI-2026-001 - Encryption vulnerable to brute-force decryption in GoAnywhere MFT

Notes

Vulnerabilities

Vulnerability Notes

References

Privacy Policy

Cookie Policy

Terms of Service

Accessibility

Fortra AI Use

Impressum