CVE-2025-1241
Static IV Vulnerability in GoAnywhere MFT Enables Data Decryption
Publication date: 2026-04-21
Last updated on: 2026-04-23
Assigner: Fortra
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fortra | goanywhere_managed_file_transfer | to 7.10.0 (exc) |
| fortra | goanywhere_agents | to 2.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-326 | The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Fortra's GoAnywhere MFT versions prior to 7.10.0 and GoAnywhere Agents prior to 2.2.0. It involves the use of a static initialization vector (IV) for encrypting values. Because the IV is static, admin users can perform brute-force attacks to decrypt the encrypted data.
How can this vulnerability impact me? :
The vulnerability allows admin users to brute-force decrypt encrypted data, potentially exposing sensitive information. This could lead to unauthorized data disclosure, compromising confidentiality without affecting data integrity or availability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Fortra's GoAnywhere MFT to version 7.10.0 or later and GoAnywhere Agents to version 2.2.0 or later. These versions address the issue by eliminating the use of a static IV in encrypted values.