CVE-2025-14362

HIGH

GoAnywhere MFT SFTP Service Login Vulnerable to Brute Force Attack Under Certain Circumstances

Title source: cna

Description

The login limit is not enforced on the SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User attempting to be logged in to is configured to log in with an SSH Key, making the SSH key vulnerable to being guessed via Brute Force.

References (1)

https://fortra.com/security/advisories/product-security/FI-2026-002

Scores

CVSS v3 7.3

EPSS 0.0005

EPSS Percentile 15.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-307

Status published

Products (2)

Fortra/GoAnywhere MFT < 7.10.0

fortra/goanywhere_managed_file_transfer < 7.10.0

Published Apr 21, 2026

Tracked Since Apr 21, 2026