CVE-2025-14362
Brute Force Vulnerability in GoAnywhere MFT SFTP SSH Key Login
Publication date: 2026-04-21
Last updated on: 2026-04-23
Assigner: Fortra
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fortra | goanywhere_managed_file_transfer | to 7.10.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-307 | The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the SFTP service of Fortra's GoAnywhere MFT versions prior to 7.10.0. Specifically, the login limit is not enforced when a Web User is configured to log in using an SSH Key. As a result, the SSH key can be subjected to brute force attacks, where an attacker repeatedly attempts to guess the key to gain unauthorized access.
How can this vulnerability impact me? :
The vulnerability allows attackers to perform brute force attacks on SSH keys without any login attempt limits. This can lead to unauthorized access to the SFTP service, potentially compromising the confidentiality, integrity, and availability of data transferred or stored via the service.