CVE-2025-8148 - Vulnerability Details - OpenCVE

An Improper Access Control in the SFTP service in Fortra's GoAnywhere MFT prior to version 7.9.0 allows Web Users with an Authentication Alias and a valid SSH key but limited to Password authentication for SFTP to still login using their SSH key.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

Advisories

No advisories yet.

Fixes

Solution

Upgrade to remediated version.

Workaround

Remove any SSH Keys assigned to Web Users that are configured for Password-only authentication to the SFTP service.

References

Link	Providers
https://www.fortra.com/security/advisories/product-security/fi-2025-013

History

Fri, 05 Dec 2025 21:15:00 +0000

Type	Values Removed	Values Added
References	https://https://www.fortra.com/security/advisories/product-security/fi-2025-013	https://www.fortra.com/security/advisories/product-security/fi-2025-013

Fri, 05 Dec 2025 21:00:00 +0000

Type	Values Removed	Values Added
Description		An Improper Access Control in the SFTP service in Fortra's GoAnywhere MFT prior to version 7.9.0 allows Web Users with an Authentication Alias and a valid SSH key but limited to Password authentication for SFTP to still login using their SSH key.
Title		CVE-2025-8148 Improper Access Control in SFTP service of GoAnywhere MFT
Weaknesses		CWE-732 CWE-863
References		https://https://www.fortra.com/security/advisories/product-security/fi-2025-013
Metrics		cvssV3_1 `{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: Fortra

Published: 2025-12-05T20:56:05.135Z

Updated: 2025-12-05T21:48:44.070Z

Reserved: 2025-07-24T21:27:23.294Z

Link: CVE-2025-8148

Vulnrichment

No data.

NVD

Status : Received

Published: 2025-12-05T21:15:54.907

Modified: 2025-12-05T21:15:54.907

Link: CVE-2025-8148

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8148", "assignerOrgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "state": "PUBLISHED", "assignerShortName": "Fortra", "dateReserved": "2025-07-24T21:27:23.294Z", "datePublished": "2025-12-05T20:56:05.135Z", "dateUpdated": "2025-12-05T21:48:44.070Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Windows", "MacOS", "Linux"], "product": "GoAnywhere MFT", "vendor": "Fortra", "versions": [{"lessThan": "7.9.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An Improper Access Control in the SFTP service in Fortra's GoAnywhere MFT prior to version 7.9.0 allows Web Users with an Authentication Alias and a valid SSH key but limited to Password authentication for SFTP to still login using their SSH key."}], "value": "An Improper Access Control in the SFTP service in Fortra's GoAnywhere MFT prior to version 7.9.0 allows Web Users with an Authentication Alias and a valid SSH key but limited to Password authentication for SFTP to still login using their SSH key."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-732", "description": "CWE-732 Incorrect Permission Assignment for Critical Resource", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "shortName": "Fortra", "dateUpdated": "2025-12-05T21:00:51.454Z"}, "references": [{"url": "https://www.fortra.com/security/advisories/product-security/fi-2025-013"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Upgrade to remediated version.\n\n<br>"}], "value": "Upgrade to remediated version."}], "source": {"discovery": "UNKNOWN"}, "title": "CVE-2025-8148 Improper Access Control in SFTP service of GoAnywhere MFT", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Remove any SSH Keys assigned to Web Users that are configured for Password-only authentication to the SFTP service.\n\n<br>"}], "value": "Remove any SSH Keys assigned to Web Users that are configured for Password-only authentication to the SFTP service."}], "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-05T21:48:36.023662Z", "id": "CVE-2025-8148", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-05T21:48:44.070Z"}}]}}