{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14362", "assignerOrgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "state": "PUBLISHED", "assignerShortName": "Fortra", "dateReserved": "2025-12-09T17:26:54.658Z", "datePublished": "2026-04-21T14:14:08.492Z", "dateUpdated": "2026-04-21T19:33:35.079Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "shortName": "Fortra", "dateUpdated": "2026-04-21T14:14:08.492Z"}, "title": "GoAnywhere MFT SFTP Service Login Vulnerable to Brute Force Attack Under Certain Circumstances", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-307", "description": "CWE-307 Improper restriction of excessive authentication attempts", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-49", "descriptions": [{"lang": "en", "value": "CAPEC-49 Password Brute Forcing"}]}], "affected": [{"vendor": "Fortra", "product": "GoAnywhere MFT", "versions": [{"status": "affected", "version": "0", "lessThan": "7.10.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The login limit is not enforced on the\u00a0SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User attempting to be logged in to is configured to log in with an SSH Key, making the SSH key vulnerable to being guessed via Brute Force.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "The login limit is not enforced on the SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User attempting to be logged in to is configured to log in with an SSH Key, making the SSH key vulnerable to being guessed via Brute Force."}]}], "references": [{"url": "https://fortra.com/security/advisories/product-security/FI-2026-002"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseSeverity": "HIGH", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}}], "solutions": [{"lang": "en", "value": "Upgrade to patched version.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Upgrade to patched version."}]}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T19:33:27.357827Z", "id": "CVE-2025-14362", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:33:35.079Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14362", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T19:33:27.357827Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:33:32.016Z"}}], "cna": {"title": "GoAnywhere MFT SFTP Service Login Vulnerable to Brute Force Attack Under Certain Circumstances", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-49", "descriptions": [{"lang": "en", "value": "CAPEC-49 Password Brute Forcing"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Fortra", "product": "GoAnywhere MFT", "versions": [{"status": "affected", "version": "0", "lessThan": "7.10.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade to patched version.", "supportingMedia": [{"type": "text/html", "value": "Upgrade to patched version.", "base64": false}]}], "references": [{"url": "https://fortra.com/security/advisories/product-security/FI-2026-002"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "The login limit is not enforced on the\u00a0SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User attempting to be logged in to is configured to log in with an SSH Key, making the SSH key vulnerable to being guessed via Brute Force.", "supportingMedia": [{"type": "text/html", "value": "The login limit is not enforced on the SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User attempting to be logged in to is configured to log in with an SSH Key, making the SSH key vulnerable to being guessed via Brute Force.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-307", "description": "CWE-307 Improper restriction of excessive authentication attempts"}]}], "providerMetadata": {"orgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "shortName": "Fortra", "dateUpdated": "2026-04-21T14:14:08.492Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14362", "state": "PUBLISHED", "dateUpdated": "2026-04-21T19:33:35.079Z", "dateReserved": "2025-12-09T17:26:54.658Z", "assignerOrgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "datePublished": "2026-04-21T14:14:08.492Z", "assignerShortName": "Fortra"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fortra:goanywhere_managed_file_transfer:*:*:*:*:*:*:*:*", "matchCriteriaId": "8EB6422D-7B12-41B3-BD42-5610C6C72524", "versionEndExcluding": "7.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The login limit is not enforced on the\u00a0SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User attempting to be logged in to is configured to log in with an SSH Key, making the SSH key vulnerable to being guessed via Brute Force."}], "id": "CVE-2025-14362", "lastModified": "2026-04-23T14:16:39.830", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "type": "Secondary"}]}, "published": "2026-04-21T15:16:35.207", "references": [{"source": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "tags": ["Vendor Advisory"], "url": "https://fortra.com/security/advisories/product-security/FI-2026-002"}], "sourceIdentifier": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-307"}], "source": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.10.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "GoAnywhere MFT", "source": "cna", "vendor": "Fortra"}, "product": "goanywhere_mft", "vendor": "fortra"}], "analysis": {"en": {"generated_at": "2026-04-21T22:48:40.554509+00:00", "value": {"mitigation_remediation": ["Upgrade GoAnywhere MFT to version 7.10.0 or later to ensure SSH key login limits are enforced", "If an immediate upgrade is not feasible, restrict Web Users from using SSH key authentication until a patch can be applied or enforce a temporary local lockout policy after a set number of failed key attempts", "Validate that all SSH keys in use meet organizational key strength policies and rotate keys regularly to reduce the risk of guessable keys"], "summary": {"action": "Immediate Patch", "impact": "Unauthorized access through brute force on SFTP via SSH key"}, "threat_synthesis": {"affected_systems": "All Fortra GoAnywhere MFT installations with Web Users configured for SSH key authentication that run versions older than 7.10.0 are affected. The vulnerability is limited to the SFTP service and requires the specific user configuration described above.", "description_and_impact": "The SFTP service of Fortra's GoAnywhere MFT does not enforce a login limit for Web Users who authenticate with an SSH key in versions prior to 7.10.0. This omission allows an attacker to attempt numerous SSH key guesses until a valid key is found, effectively bypassing authentication. The vulnerability is a classic case of authentication bypass (CWE-307) and can result in unauthorized access, data theft, or further lateral movement within the network.", "risk_and_exploitability": "The CVSS score of 7.3 classifies this as a high\u2011severity issue. With no EPSS data, the baseline exploit probability is unknown, but the fact that a brute\u2011force login can succeed without additional preconditions raises concern. The vulnerability is not listed in CISA's KEV catalog, indicating no known widespread exploitation. The likely attack vector is remote, network\u2011based brute force of SSH keys against the SFTP port, targeting users whose accounts are mistakenly configured to allow key login without login limits."}}}}, "created": "2026-04-21T23:00:03.480355+00:00", "updated": "2026-04-22T11:46:29.341328+00:00", "vendors": ["fortra", "fortra$PRODUCT$goanywhere_mft"]}