Description
Encrypted values in Fortra's GoAnywhere MFT prior to version 7.10.0 and GoAnywhere Agents prior to version 2.2.0 utilize a static IV which allows admin users to brute-force decryption of data.
Published: 2026-04-21
Score: 5.8 Medium
EPSS: n/a
KEV: No
Impact: Confidentiality Breach
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from the use of a static initialization vector (IV) in encrypted values handled by GoAnywhere MFT and its agents. Because the IV never changes, an attacker with administrative privileges can perform brute‑force trials to decrypt protected data. This weakness falls under CWE‑326 and results in the potential exposure of confidential information stored or transmitted by the system. The impact is limited to data confidentiality, while integrity and availability are not directly affected.

Affected Systems

Fortra’s GoAnywhere MFT versions earlier than 7.10.0 and GoAnywhere Agents earlier than 2.2.0 are affected. These products are used for secure file transfers and management, and the vulnerable encryption mechanism is employed in configuration and data storage components.

Risk and Exploitability

The CVSS score of 5.8 reflects a moderate severity. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting limited prior exploitation. The likely attack vector requires privileged admin access, typically through the Admin Client interface. If an attacker gains local or remote administrative control, brute‑forcing the static IV can reveal encrypted content.

Generated by OpenCVE AI on April 21, 2026 at 22:49 UTC.

Remediation

Vendor Solution

Upgrade to patched version.

Vendor Workaround

Restrict access to Admin Client.

OpenCVE Recommended Actions

  • Upgrade GoAnywhere MFT to version 7.10.0 or later
  • Upgrade GoAnywhere Agents to version 2.2.0 or later
  • Restrict access to the Admin Client to authorized personnel while the patch is deployed

Generated by OpenCVE AI on April 21, 2026 at 22:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Encrypted values in Fortra's GoAnywhere MFT prior to version 7.10.0 and GoAnywhere Agents prior to version 2.2.0 utilize a static IV which allows admin users to brute-force decryption of data.
Title Encryption vulnerable to brute-force decryption in GoAnywhere MFT
Weaknesses CWE-326
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Fortra

Published:

Updated: 2026-04-21T19:33:03.005Z

Reserved: 2025-02-11T23:19:04.818Z

Link: CVE-2025-1241

cve-icon Vulnrichment

Updated: 2026-04-21T19:32:58.757Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-21T15:16:35.320

Modified: 2026-04-21T16:20:24.180

Link: CVE-2025-1241

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T23:00:03Z

Weaknesses