All the vulnerabilites related to Fortra - Goanywhere MFT
cve-2024-0204
Vulnerability from cvelistv5
Published
2024-01-22 18:05
Modified
2025-05-30 14:22
Severity ?
EPSS score ?
Summary
Authentication Bypass in GoAnywhere MFT
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Fortra | GoAnywhere MFT |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T17:41:15.984Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.fortra.com/security/advisory/fi-2024-001"
},
{
"tags": [
"permissions-required",
"x_transferred"
],
"url": "https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/176683/GoAnywhere-MFT-Authentication-Bypass.html"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/176974/Fortra-GoAnywhere-MFT-Unauthenticated-Remote-Code-Execution.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-0204",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T15:41:03.677995Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T14:22:31.288Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "GoAnywhere MFT",
"vendor": "Fortra",
"versions": [
{
"lessThan": "7.4.1",
"status": "affected",
"version": "6.0.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Mohammed Eldeeb \u0026 Islam Elrfai, Spark Engineering Consultants"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Authentication bypass in Fortra\u0027s GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal."
}
],
"value": "Authentication bypass in Fortra\u0027s GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-425",
"description": "CWE-425 Direct Request (\u0027Forced Browsing\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-02T17:06:23.244Z",
"orgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff",
"shortName": "Fortra"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.fortra.com/security/advisory/fi-2024-001"
},
{
"tags": [
"permissions-required"
],
"url": "https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml"
},
{
"url": "http://packetstormsecurity.com/files/176683/GoAnywhere-MFT-Authentication-Bypass.html"
},
{
"url": "http://packetstormsecurity.com/files/176974/Fortra-GoAnywhere-MFT-Unauthenticated-Remote-Code-Execution.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to version 7.4.1 or higher. The vulnerability may also be eliminated in non-container deployments by deleting the\u0026nbsp;InitialAccountSetup.xhtml file in the install directory and restarting the services. For container-deployed instances, replace the file with an empty file and restart. For additional information, see\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml\"\u003ehttps://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml\u003c/a\u003e\u0026nbsp;(registration required).\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml\"\u003e\u003c/a\u003e"
}
],
"value": "Upgrade to version 7.4.1 or higher. The vulnerability may also be eliminated in non-container deployments by deleting the\u00a0InitialAccountSetup.xhtml file in the install directory and restarting the services. For container-deployed instances, replace the file with an empty file and restart. For additional information, see\u00a0 https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml \u00a0(registration required). https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml"
}
],
"source": {
"advisory": "XXX-YYY",
"discovery": "UNKNOWN"
},
"title": "Authentication Bypass in GoAnywhere MFT",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Users are encouraged to apply defense-in-depth tactics to limit access to the administrative console. Do not expose the console to the internet and apply web application controls such as a WAF, monitoring, and access controls.\u0026nbsp;"
}
],
"value": "Users are encouraged to apply defense-in-depth tactics to limit access to the administrative console. Do not expose the console to the internet and apply web application controls such as a WAF, monitoring, and access controls."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff",
"assignerShortName": "Fortra",
"cveId": "CVE-2024-0204",
"datePublished": "2024-01-22T18:05:13.194Z",
"dateReserved": "2024-01-03T00:12:28.436Z",
"dateUpdated": "2025-05-30T14:22:31.288Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-10035
Vulnerability from cvelistv5
Published
2025-09-18 22:01
Modified
2025-09-29 22:20
Severity ?
EPSS score ?
Summary
Deserialization Vulnerability in GoAnywhere MFT's License Servlet
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Fortra | GoAnywhere MFT |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10035",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-19T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-09-29",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-10035"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T22:20:24.526Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"timeline": [
{
"lang": "en",
"time": "2025-09-29T00:00:00+00:00",
"value": "CVE-2025-10035 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"platforms": [
"Linux",
"Windows",
"MacOS"
],
"product": "GoAnywhere MFT",
"vendor": "Fortra",
"versions": [
{
"lessThanOrEqual": "7.8.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A deserialization vulnerability in the License Servlet of Fortra\u0027s GoAnywhere MFT allows an actor with a validly forged license response signature to \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003edeserialize an arbitrary actor-controlled object, possibly leading to command injection.\u003c/span\u003e"
}
],
"value": "A deserialization vulnerability in the License Servlet of Fortra\u0027s GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection."
}
],
"impacts": [
{
"capecId": "CAPEC-248",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-248 Command Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T22:43:41.684Z",
"orgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff",
"shortName": "Fortra"
},
"references": [
{
"url": "https://www.fortra.com/security/advisories/product-security/fi-2025-012"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to a patched version (the latest release 7.8.4, or the Sustain Release 7.6.3)"
}
],
"value": "Upgrade to a patched version (the latest release 7.8.4, or the Sustain Release 7.6.3)"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Deserialization Vulnerability in GoAnywhere MFT\u0027s License Servlet",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\nImmediately ensure that access to the GoAnywhere Admin Console is not open to the public. Exploitation of this vulnerability is highly dependent upon systems being externally exposed to the internet. \n\n\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Immediately ensure that access to the GoAnywhere Admin Console is not open to the public. Exploitation of this vulnerability is highly dependent upon systems being externally exposed to the internet."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff",
"assignerShortName": "Fortra",
"cveId": "CVE-2025-10035",
"datePublished": "2025-09-18T22:01:51.337Z",
"dateReserved": "2025-09-05T16:43:32.877Z",
"dateUpdated": "2025-09-29T22:20:24.526Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-0669
Vulnerability from cvelistv5
Published
2023-02-06 19:16
Modified
2025-07-30 01:37
Severity ?
EPSS score ?
Summary
Fortra GoAnywhere MFT License Response Servlet Command Injection
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Fortra | Goanywhere MFT |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:17:50.355Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml#zerodayfeb1"
},
{
"tags": [
"media-coverage",
"x_transferred"
],
"url": "https://infosec.exchange/@briankrebs/109795710941843934"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://www.rapid7.com/blog/post/2023/02/03/exploitation-of-goanywhere-mft-zero-day-vulnerability/"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://attackerkb.com/topics/mg883Nbeva/cve-2023-0669/rapid7-analysis"
},
{
"tags": [
"exploit",
"x_transferred"
],
"url": "https://github.com/rapid7/metasploit-framework/pull/17607"
},
{
"tags": [
"media-coverage",
"x_transferred"
],
"url": "https://duo.com/decipher/fortra-patches-actively-exploited-zero-day-in-goanywhere-mft"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://frycos.github.io/vulns4free/2023/02/06/goanywhere-forgotten.html"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/171789/Goanywhere-Encryption-Helper-7.1.1-Remote-Code-Execution.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-0669",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2023-12-09T05:05:06.460030Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2023-02-10",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-0669"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T01:37:31.784Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"timeline": [
{
"lang": "en",
"time": "2023-02-10T00:00:00+00:00",
"value": "CVE-2023-0669 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Goanywhere MFT",
"vendor": "Fortra",
"versions": [
{
"lessThanOrEqual": "7.1.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "other",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Brian Krebs of Krebs on Security"
},
{
"lang": "en",
"type": "analyst",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Ron Bowes of Rapid7"
},
{
"lang": "en",
"type": "analyst",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Caitlin Condon of Rapid7"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Fryco of Frycos Security"
}
],
"datePublic": "2023-02-01T15:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. This issue was patched in version 7.1.2."
}
],
"value": "Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. This issue was patched in version 7.1.2."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-10T19:06:33.125Z",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml#zerodayfeb1"
},
{
"tags": [
"media-coverage"
],
"url": "https://infosec.exchange/@briankrebs/109795710941843934"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.rapid7.com/blog/post/2023/02/03/exploitation-of-goanywhere-mft-zero-day-vulnerability/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://attackerkb.com/topics/mg883Nbeva/cve-2023-0669/rapid7-analysis"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/rapid7/metasploit-framework/pull/17607"
},
{
"tags": [
"media-coverage"
],
"url": "https://duo.com/decipher/fortra-patches-actively-exploited-zero-day-in-goanywhere-mft"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://frycos.github.io/vulns4free/2023/02/06/goanywhere-forgotten.html"
},
{
"url": "http://packetstormsecurity.com/files/171789/Goanywhere-Encryption-Helper-7.1.1-Remote-Code-Execution.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Fortra GoAnywhere MFT License Response Servlet Command Injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2023-0669",
"datePublished": "2023-02-06T19:16:19.265Z",
"dateReserved": "2023-02-03T22:09:23.898Z",
"dateUpdated": "2025-07-30T01:37:31.784Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-11922
Vulnerability from cvelistv5
Published
2025-04-28 20:57
Modified
2025-04-28 22:27
Severity ?
EPSS score ?
Summary
Input Validation vulnerability in Web Client emails that do not go through Secure Mail
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.fortra.com/security/advisories/product-security/fi-2025-005 | vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Fortra | GoAnywhere MFT |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11922",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-28T22:27:45.719964Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-28T22:27:53.032Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux",
"64 bit",
"iSeries",
"IBM System P",
"IBM z (Mainframe)",
"UNIX"
],
"product": "GoAnywhere MFT",
"vendor": "Fortra",
"versions": [
{
"lessThanOrEqual": "7.7.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-04-22T18:09:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing input validation in certain features of the Web Client of Fortra\u0027s GoAnywhere prior to version 7.8.0 allows an attacker with permission to trigger emails to\u0026nbsp;insert arbitrary HTML or JavaScript into an email."
}
],
"value": "Missing input validation in certain features of the Web Client of Fortra\u0027s GoAnywhere prior to version 7.8.0 allows an attacker with permission to trigger emails to\u00a0insert arbitrary HTML or JavaScript into an email."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-28T20:57:37.388Z",
"orgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff",
"shortName": "Fortra"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.fortra.com/security/advisories/product-security/fi-2025-005"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to version 7.8.0"
}
],
"value": "Upgrade to version 7.8.0"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Input Validation vulnerability in Web Client emails that do not go through Secure Mail",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgba(9, 30, 66, 0.055);\"\u003eLimit access to only trustworthy Web Users\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Limit access to only trustworthy Web Users"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff",
"assignerShortName": "Fortra",
"cveId": "CVE-2024-11922",
"datePublished": "2025-04-28T20:57:37.388Z",
"dateReserved": "2024-11-27T18:20:19.664Z",
"dateUpdated": "2025-04-28T22:27:53.032Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-9945
Vulnerability from cvelistv5
Published
2024-12-13 15:22
Modified
2025-08-29 20:18
Severity ?
EPSS score ?
Summary
Limited Information Disclosure in GoAnywhere MFT Prior to 7.7.0
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.fortra.com/security/advisories/product-security/fi-2024-014 | vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Fortra | GoAnywhere MFT |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-9945",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-13T17:35:02.426621Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-13T17:35:32.342Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux",
"64 bit",
"iSeries",
"IBM System P",
"IBM z (Mainframe)",
"UNIX"
],
"product": "GoAnywhere MFT",
"vendor": "Fortra",
"versions": [
{
"lessThan": "7.7.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "xiao xiong"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An information-disclosure vulnerability exists in Fortra\u0027s GoAnywhere MFT application prior to version 7.7.0 that allows external access to the resources in certain admin root folders.\u0026nbsp;\u0026nbsp;\u003cbr\u003e"
}
],
"value": "An information-disclosure vulnerability exists in Fortra\u0027s GoAnywhere MFT application prior to version 7.7.0 that allows external access to the resources in certain admin root folders."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-425",
"description": "CWE-425 Direct Request (\u0027Forced Browsing\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-552",
"description": "CWE-552 Files or Directories Accessible to External Parties",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-29T20:18:10.908Z",
"orgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff",
"shortName": "Fortra"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.fortra.com/security/advisories/product-security/fi-2024-014"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to GoAnywhere 7.7.0 or higher."
}
],
"value": "Upgrade to GoAnywhere 7.7.0 or higher."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Limited Information Disclosure in GoAnywhere MFT Prior to 7.7.0",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff",
"assignerShortName": "Fortra",
"cveId": "CVE-2024-9945",
"datePublished": "2024-12-13T15:22:31.536Z",
"dateReserved": "2024-10-14T17:47:11.055Z",
"dateUpdated": "2025-08-29T20:18:10.908Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-3871
Vulnerability from cvelistv5
Published
2025-07-16 14:00
Modified
2025-07-18 14:52
Severity ?
EPSS score ?
Summary
Broken Access Control Leads to Limited Denial of Service in GoAnywhere MFT 7.8.0 and earlier
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Fortra | GoAnywhere MFT |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3871",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-18T14:52:21.643028Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-18T14:52:28.197Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "GoAnywhere MFT",
"vendor": "Fortra",
"versions": [
{
"lessThan": "7.8.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Broken access control in Fortra\u0027s GoAnywhere MFT prior to 7.8.1 allows an attacker to create a denial of service situation when configured to use GoAnywhere One-Time Password (GOTP) email two-factor authentication (2FA) and the user has not set an email address. In this scenario, the attacker may enter the email address of a known user when prompted and the user will be disabled if that user has configured GOTP.\u0026nbsp;"
}
],
"value": "Broken access control in Fortra\u0027s GoAnywhere MFT prior to 7.8.1 allows an attacker to create a denial of service situation when configured to use GoAnywhere One-Time Password (GOTP) email two-factor authentication (2FA) and the user has not set an email address. In this scenario, the attacker may enter the email address of a known user when prompted and the user will be disabled if that user has configured GOTP."
}
],
"impacts": [
{
"capecId": "CAPEC-151",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-151 Identity Spoofing"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-16T14:00:27.665Z",
"orgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff",
"shortName": "Fortra"
},
"references": [
{
"url": "https://www.fortra.com/security/advisories/product-security/FI-2025-009"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to GoAnwhere MFT 7.8.1 or higher"
}
],
"value": "Upgrade to GoAnwhere MFT 7.8.1 or higher"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Broken Access Control Leads to Limited Denial of Service in GoAnywhere MFT 7.8.0 and earlier",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003e\u003cp\u003eEnsure all users configured to use GOTP email for 2FA already have an email set.\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eIn situations where the email cannot be set ahead of time (ex: Self-Registration), switch Admin and Web User Templates to use another 2FA option such as Time-based One-Time Password or RADIUS.\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "* Ensure all users configured to use GOTP email for 2FA already have an email set.\n\n\n * In situations where the email cannot be set ahead of time (ex: Self-Registration), switch Admin and Web User Templates to use another 2FA option such as Time-based One-Time Password or RADIUS."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff",
"assignerShortName": "Fortra",
"cveId": "CVE-2025-3871",
"datePublished": "2025-07-16T14:00:27.665Z",
"dateReserved": "2025-04-22T14:56:48.089Z",
"dateUpdated": "2025-07-18T14:52:28.197Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-25157
Vulnerability from cvelistv5
Published
2024-08-14 15:04
Modified
2024-08-29 03:55
Severity ?
EPSS score ?
Summary
Authentication bypass in GoAnywhere MFT prior to 7.6.0
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Fortra | GoAnywhere MFT |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:fortra:goanywhere_managed_file_transfer:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "goanywhere_managed_file_transfer",
"vendor": "fortra",
"versions": [
{
"lessThan": "7.6.0",
"status": "affected",
"version": "6.0.1",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25157",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-28T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T03:55:30.276Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "GoAnywhere MFT",
"vendor": "Fortra",
"versions": [
{
"lessThan": "7.6.0",
"status": "affected",
"version": "6.0.1",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An authentication bypass vulnerability in GoAnywhere MFT prior to 7.6.0 allows Admin Users with access to the Agent Console to circumvent some permission checks when attempting to visit other pages. This could lead to unauthorized information disclosure or modification."
}
],
"value": "An authentication bypass vulnerability in GoAnywhere MFT prior to 7.6.0 allows Admin Users with access to the Agent Console to circumvent some permission checks when attempting to visit other pages. This could lead to unauthorized information disclosure or modification."
}
],
"impacts": [
{
"capecId": "CAPEC-114",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-114 Authentication Abuse"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-303",
"description": "CWE-303: Incorrect Implementation of Authentication Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-14T15:04:10.987Z",
"orgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff",
"shortName": "Fortra"
},
"references": [
{
"url": "https://www.fortra.com/security/advisories/product-security/fi-2024-009"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to GoAnywhere MFT 7.6.0\u003cbr\u003e"
}
],
"value": "Upgrade to GoAnywhere MFT 7.6.0"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authentication bypass in GoAnywhere MFT prior to 7.6.0",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff",
"assignerShortName": "Fortra",
"cveId": "CVE-2024-25157",
"datePublished": "2024-08-14T15:04:10.987Z",
"dateReserved": "2024-02-06T21:23:57.925Z",
"dateUpdated": "2024-08-29T03:55:30.276Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-25156
Vulnerability from cvelistv5
Published
2024-03-14 14:06
Modified
2024-08-01 23:36
Severity ?
EPSS score ?
Summary
Path traversal in GoAnywhere MFT 7.4.1 and Earlier
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Fortra | GoAnywhere MFT |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25156",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-14T15:52:32.871760Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:35:04.395Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:36:21.753Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.fortra.com/security/advisory/fi-2024-004"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "GoAnywhere MFT",
"vendor": "Fortra",
"versions": [
{
"lessThanOrEqual": "7.4.1",
"status": "affected",
"version": "6.0.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Mohammed Eldeeb \u0026 Islam Elrfai, Spark Engineering Consultants"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "vcth4nh from VcsLab of Viettel Cyber Security"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgba(9, 30, 66, 0.06);\"\u003eA path traversal vulnerability exists in GoAnywhere MFT prior to 7.4.2 which allows attackers to circumvent endpoint-specific permission checks in the GoAnywhere Admin and Web Clients.\u003c/span\u003e\n\n"
}
],
"value": "\nA path traversal vulnerability exists in GoAnywhere MFT prior to 7.4.2 which allows attackers to circumvent endpoint-specific permission checks in the GoAnywhere Admin and Web Clients.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-139",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-139 Relative Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-14T14:06:01.498Z",
"orgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff",
"shortName": "Fortra"
},
"references": [
{
"url": "https://www.fortra.com/security/advisory/fi-2024-004"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Path traversal in GoAnywhere MFT 7.4.1 and Earlier",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff",
"assignerShortName": "Fortra",
"cveId": "CVE-2024-25156",
"datePublished": "2024-03-14T14:06:01.498Z",
"dateReserved": "2024-02-06T21:23:57.925Z",
"dateUpdated": "2024-08-01T23:36:21.753Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}