CVE-2025-8148 — Incorrect Permission Assignment in Goanywhere MFT

CWE-732 — Incorrect Permission Assignment CWE-863 — Incorrect Authorization2 documents2 sources

Severity

4.2MEDIUMNVD

EPSS

0.1%

top 82.99%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortra Goanywhere MFT Fortra Goanywhere Managed File Transfer

Timeline

PublishedDec 5

Description

An Improper Access Control in the SFTP service in Fortra's GoAnywhere MFT prior to version 7.9.0 allows Web Users with an Authentication Alias and a valid SSH key but limited to Password authentication for SFTP to still login using their SSH key.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 1.6 | Impact: 2.5

Affected Packages2 packages

▶CVEListV5fortra/goanywhere_mft< 7.9.0

▶NVDfortra/goanywhere_managed_file_transfer< 7.9.0

🔴Vulnerability Details

GHSA

GHSA-3f4c-2q4h-c97w: An Improper Access Control in the SFTP service in Fortra's GoAnywhere MFT prior to version 7↗2025-12-05

▶