CVE-2025-1241
Received Received - Intake
Static IV Vulnerability in GoAnywhere MFT Enables Data Decryption

Publication date: 2026-04-21

Last updated on: 2026-04-23

Assigner: Fortra

Description
Encrypted values in Fortra's GoAnywhere MFT prior to version 7.10.0 and GoAnywhere Agents prior to version 2.2.0 utilize a static IV which allows admin users to brute-force decryption of data.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-15
NVD
CVE-2025-1241
EUVD
EUVD-2025-209539
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
fortra goanywhere_managed_file_transfer to 7.10.0 (exc)
fortra goanywhere_agents to 2.2.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-326 The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Fortra's GoAnywhere MFT versions prior to 7.10.0 and GoAnywhere Agents prior to 2.2.0. It involves the use of a static initialization vector (IV) for encrypting values. Because the IV is static, admin users can perform brute-force attacks to decrypt the encrypted data.

Impact Analysis

The vulnerability allows admin users to brute-force decrypt encrypted data, potentially exposing sensitive information. This could lead to unauthorized data disclosure, compromising confidentiality without affecting data integrity or availability.

Mitigation Strategies

To mitigate this vulnerability, upgrade Fortra's GoAnywhere MFT to version 7.10.0 or later and GoAnywhere Agents to version 2.2.0 or later. These versions address the issue by eliminating the use of a static IV in encrypted values.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-1241. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart