Improper Access Control in Fortra's GoAnywhere MFT SFTP Service
CVE-2025-8148

4.2MEDIUM

Key Information:

Vendor: Fortra
Status: Goanywhere Mft
Vendor: CVE Published:; 5 December 2025

What is CVE-2025-8148?

An improper access control vulnerability exists within the SFTP service of Fortra's GoAnywhere MFT, prior to version 7.9.0. This issue permits web users who possess an authentication alias and a valid SSH key, but are restricted to password authentication for SFTP, to bypass intended security measures and log in using their SSH key. Such a flaw raises significant concerns regarding the integrity and confidentiality of file transfers, necessitating prompt remediation to safeguard sensitive data.

Affected Version(s)

GoAnywhere MFT Windows 0 < 7.9.0

References

https://www.fortra.com/security/advisories/product-securi...

CVSS V3.1

Score:

4.2

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 5, 2025
Vulnerability Reserved
Jul 24, 2025

JSON