CVE-2025-3871
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-16

Last updated on: 2025-07-16

Assigner: Fortra

Description
Broken access control in Fortra's GoAnywhere MFT prior to 7.8.1 allows an attacker to create a denial of service situation when configured to use GoAnywhere One-Time Password (GOTP) email two-factor authentication (2FA) and the user has not set an email address. In this scenario, the attacker may enter the email address of a known user when prompted and the user will be disabled if that user has configured GOTP.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-16
Last Modified
2025-07-16
Generated
2026-05-27
AI Q&A
2025-07-16
EPSS Evaluated
2026-05-25
NVD
CVE-2025-3871
EUVD
EUVD-2025-21703
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fortra goanywhere_mft *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a broken access control issue in Fortra's GoAnywhere MFT versions prior to 7.8.1. It allows an attacker to cause a denial of service by exploiting the GoAnywhere One-Time Password (GOTP) email two-factor authentication system when a user has not set an email address. The attacker can enter the email address of a known user, and if that user has configured GOTP, the user account will be disabled.


How can this vulnerability impact me? :

The vulnerability can impact you by causing a denial of service situation where legitimate users who have configured GOTP for two-factor authentication can be disabled by an attacker. This could prevent users from accessing the system, disrupting normal operations.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart