Description
The login limit is not enforced on the SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User attempting to be logged in to is configured to log in with an SSH Key, making the SSH key vulnerable to being guessed via Brute Force.
Published: 2026-04-21
Score: 7.3 High
EPSS: n/a
KEV: No
Impact: Brute Force Login Vulnerability
Action: Patch Immediately
AI Analysis

Impact

The vulnerability allows an attacker to bypass the login attempt limit on the SFTP service of Fortra's GoAnywhere MFT when the targeted web user is configured for SSH key authentication. The lack of enforcement means a brute‑force attack can guess the SSH key and gain unauthorized access. This weakness is classified as CWE‑307, which concerns an authentication mechanism that does not properly enforce a maximum number of failed login attempts.

Affected Systems

All installations of Fortra GoAnywhere MFT older than version 7.10.0 are affected. The vulnerability exists in the SFTP service layer and therefore any web user configured to use an SSH key is at risk.

Risk and Exploitability

With a CVSS score of 7.3, the vulnerability is considered high severity. No EPSS score is currently available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote network access to the SFTP port, where an attacker can repeatedly attempt authentication using guessed SSH keys. No special privileges or prior access are required, making exploitation straightforward for attackers with network access to the host.

Generated by OpenCVE AI on April 21, 2026 at 22:48 UTC.

Remediation

Vendor Solution

Upgrade to patched version (7.10.0 or later).

OpenCVE Recommended Actions

  • Upgrade GoAnywhere MFT to version 7.10.0 or later to enforce the login limit.
  • Configure an account lockout or rate‑limiting policy on the SFTP service to block repeated failed authentication attempts.
  • Restrict SFTP access to trusted IP addresses or through a bastion host, and ensure that all SSH keys meet an acceptable length and algorithm standard.

Generated by OpenCVE AI on April 21, 2026 at 22:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description The login limit is not enforced on the SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User attempting to be logged in to is configured to log in with an SSH Key, making the SSH key vulnerable to being guessed via Brute Force.
Title GoAnywhere MFT SFTP Service Login Vulnerable to Brute Force Attack Under Certain Circumstances
Weaknesses CWE-307
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Fortra

Published:

Updated: 2026-04-21T19:27:23.897Z

Reserved: 2026-01-14T23:07:29.797Z

Link: CVE-2026-0972

cve-icon Vulnrichment

Updated: 2026-04-21T19:27:20.877Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-21T15:16:35.830

Modified: 2026-04-21T16:20:24.180

Link: CVE-2026-0972

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T23:00:03Z

Weaknesses