CVE-2025-8148 | THREATINT

Description

An Improper Access Control in the SFTP service in Fortra's GoAnywhere MFT prior to version 7.9.0 allows Web Users with an Authentication Alias and a valid SSH key but limited to Password authentication for SFTP to still login using their SSH key.

PUBLISHED Reserved 2025-07-24 | Published 2025-12-05 | Updated 2025-12-05 | Assigner Fortra

MEDIUM: 4.2CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Problem types

CWE-732 Incorrect Permission Assignment for Critical Resource

CWE-863 Incorrect Authorization

Product status

Default status

unaffected

Any version before 7.9.0

affected

References

www.fortra.com/...ty/advisories/product-security/fi-2025-013

cve.org (CVE-2025-8148)

nvd.nist.gov (CVE-2025-8148)