Description
The login limit is not enforced on the SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User attempting to be logged in to is configured to log in with an SSH Key, making the SSH key vulnerable to being guessed via Brute Force.
Published: 2026-04-21
Score: 7.3 High
EPSS: n/a
KEV: No
Impact: Unauthorized access through brute force on SFTP via SSH key
Action: Immediate Patch
AI Analysis

Impact

The SFTP service of Fortra's GoAnywhere MFT does not enforce a login limit for Web Users who authenticate with an SSH key in versions prior to 7.10.0. This omission allows an attacker to attempt numerous SSH key guesses until a valid key is found, effectively bypassing authentication. The vulnerability is a classic case of authentication bypass (CWE-307) and can result in unauthorized access, data theft, or further lateral movement within the network.

Affected Systems

All Fortra GoAnywhere MFT installations with Web Users configured for SSH key authentication that run versions older than 7.10.0 are affected. The vulnerability is limited to the SFTP service and requires the specific user configuration described above.

Risk and Exploitability

The CVSS score of 7.3 classifies this as a high‑severity issue. With no EPSS data, the baseline exploit probability is unknown, but the fact that a brute‑force login can succeed without additional preconditions raises concern. The vulnerability is not listed in CISA's KEV catalog, indicating no known widespread exploitation. The likely attack vector is remote, network‑based brute force of SSH keys against the SFTP port, targeting users whose accounts are mistakenly configured to allow key login without login limits.

Generated by OpenCVE AI on April 21, 2026 at 22:48 UTC.

Remediation

Vendor Solution

Upgrade to patched version.

OpenCVE Recommended Actions

  • Upgrade GoAnywhere MFT to version 7.10.0 or later to ensure SSH key login limits are enforced
  • If an immediate upgrade is not feasible, restrict Web Users from using SSH key authentication until a patch can be applied or enforce a temporary local lockout policy after a set number of failed key attempts
  • Validate that all SSH keys in use meet organizational key strength policies and rotate keys regularly to reduce the risk of guessable keys

Generated by OpenCVE AI on April 21, 2026 at 22:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description The login limit is not enforced on the SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User attempting to be logged in to is configured to log in with an SSH Key, making the SSH key vulnerable to being guessed via Brute Force.
Title GoAnywhere MFT SFTP Service Login Vulnerable to Brute Force Attack Under Certain Circumstances
Weaknesses CWE-307
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Fortra

Published:

Updated: 2026-04-21T19:33:35.079Z

Reserved: 2025-12-09T17:26:54.658Z

Link: CVE-2025-14362

cve-icon Vulnrichment

Updated: 2026-04-21T19:33:32.016Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-21T15:16:35.207

Modified: 2026-04-21T16:20:24.180

Link: CVE-2025-14362

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T23:00:03Z

Weaknesses