CVE-2026-0972
Brute Force Vulnerability in GoAnywhere MFT SFTP SSH Key Login
Publication date: 2026-04-21
Last updated on: 2026-04-29
Assigner: Fortra
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fortra | goanywhere_managed_file_transfer | to 7.10.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-307 | The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the SFTP service of Fortra's GoAnywhere MFT versions prior to 7.10.0. Specifically, the login limit is not enforced when a Web User is configured to log in using an SSH Key. As a result, the SSH key can be subjected to brute force attacks, where an attacker attempts to guess the key by trying many possibilities.
How can this vulnerability impact me? :
Because the login limit is not enforced for SSH key logins, an attacker can repeatedly attempt to guess the SSH key without being blocked. This increases the risk of unauthorized access to the SFTP service, potentially leading to data breaches, unauthorized data modification, or service disruption.