CVE-2025-1241
Received Received - Intake

Static IV Vulnerability in GoAnywhere MFT Enables Data Decryption

Vulnerability report for CVE-2025-1241, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-21

Last updated on: 2026-04-23

Assigner: Fortra

Description

Encrypted values in Fortra's GoAnywhere MFT prior to version 7.10.0 and GoAnywhere Agents prior to version 2.2.0 utilize a static IV which allows admin users to brute-force decryption of data.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-21
Last Modified
2026-04-23
Generated
2026-07-06
AI Q&A
2026-04-21
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
fortra goanywhere_managed_file_transfer to 7.10.0 (exc)
fortra goanywhere_agents to 2.2.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-326 The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Fortra's GoAnywhere MFT versions prior to 7.10.0 and GoAnywhere Agents prior to 2.2.0. It involves the use of a static initialization vector (IV) for encrypting values. Because the IV is static, admin users can perform brute-force attacks to decrypt the encrypted data.

Impact Analysis

The vulnerability allows admin users to brute-force decrypt encrypted data, potentially exposing sensitive information. This could lead to unauthorized data disclosure, compromising confidentiality without affecting data integrity or availability.

Mitigation Strategies

To mitigate this vulnerability, upgrade Fortra's GoAnywhere MFT to version 7.10.0 or later and GoAnywhere Agents to version 2.2.0 or later. These versions address the issue by eliminating the use of a static IV in encrypted values.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-1241. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart