Broken access control in Fortra's GoAnywhere MFT
CVE-2025-3871

5.3MEDIUM

Key Information:

Vendor: Fortra
Status: Goanywhere Mft
Vendor: CVE Published:; 16 July 2025

What is CVE-2025-3871?

A security gap in Fortra's GoAnywhere MFT prior to version 7.8.1 allows attackers to create denial of service conditions specifically when GoAnywhere One-Time Password (GOTP) is configured for email-based two-factor authentication (2FA) and no email address is assigned. In such cases, an attacker could input the email address of a legitimate user, leading to potential account authentication issues if that user has GOTP set up.

Affected Version(s)

GoAnywhere MFT 0 < 7.8.1

References

https://www.fortra.com/security/advisories/product-securi...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 16, 2025
Vulnerability Reserved
Apr 22, 2025