Fortra® Security & Trust Center

Security Advisory

Broken Access Control Leads to Limited Denial of Service in GoAnywhere MFT Prior to 7.8.1

Wed, 07/16/2025
Broken access control in Fortra's GoAnywhere MFT prior to 7.8.1 allows an attacker to create a denial of service situation when configured to use GoAnywhere One-Time Password (GOTP) email two-factor authentication (2FA) and the user has not set an email address. In this scenario, the attacker may enter the email address of a known user when prompted and the user will be disabled if that user has...
FI-2025-009
Medium
CVE-2025-3871
Emerging Threats

FortiWeb Unauthenticated SQL Injection in GUI

Fri, 07/11/2025
Fortra is actively researching a critical unauthenticated SQL injection vulnerability affecting FortiWeb products identified as CVE-2025-25257. This vulnerability allows remote attackers to execute arbitrary SQL commands via crafted HTTP(s) requests without authentication, potentially resulting in full system compromise.
Patch Tuesday Analysis
Blog

July 2025 Patch Tuesday Analysis

By Tyler Reguly on Tue, 07/08/2025
window._wq = window._wq || []; _wq.push({ id: "nu4d3wvu8p", options: { preload: "auto" } }); Today’s Patch Tuesday Alert addresses Microsoft’s July 2025 Security Updates. We are actively working on coverage for these vulnerabilities and expect to ship ASPL-1164 as soon as coverage is completed. In-The-Wild & Disclosed CVEsCVE-2025-49719The only publicly...
Threat Research & Intelligence
Vulnerability Management
Blog

BEC Global Insights Report: June 2025

By John Farina on Fri, 07/04/2025
The monthly Global BEC Insights Report from Fortra presents a comprehensive analysis of the latest tactics, techniques, and procedures (TTP) employed by BEC threat actors. This report draws on extensive intelligence gathered from hundreds of active defense engagements conducted throughout the month. Key insights include geolocation data, attack volume, and the variety of scams, such as payroll diversion and advance fee fraud. The report also highlights the use of gift cards in scams, the requested amounts in wire transfer fraud, and the banks and webmail providers frequently targeted by attackers. These findings provide a critical understanding of the evolving BEC threat landscape.
Security Advisory

Core Privileged Access Manager (BoKS) Leakage of Sensitive Data via the Cache

Tue, 06/17/2025
A binary in the BoKS Server Agent component of Fortra's Core Privileged Access Manager (BoKS) on versions 7.2.0 (up to 7.2.0.17), 8.1.0 (up to 8.1.0.22), 8.1.1 (up to 8.1.1.7), 9.0.0 (up to 9.0.0.1) and also legacy tar installs of BoKS 7.2 without hotfix #0474 on Linux, AIX, and Solaris allows low privilege local users to dump data from the cache.
FI-2025-008
Medium
CVE-2025-5141
Security Advisory

IBM Backup, Recovery and Media Services for i is vulnerable to a user gaining elevated privileges due to an unqualified library call

Fri, 06/13/2025
IBM Backup, Recovery, and Media Services is vulnerable to allowing a user with the capability to compile or restore a program to gain elevated privileges due to a library unqualified call. A malicious actor could cause user-controlled code to run with component access to the host operating system This bulletin identifies the steps to take to address the vulnerabilities as described in the...
FI-2025-007
High
CVE-2025-33108