Broken Access Control Leads to Limited Denial of Service in GoAnywhere MFT Prior to 7.8.1

FI-2025-009 - Broken Access Control Leads to Limited Denial of Service in GoAnywhere MFT Prior to 7.8.1

Severity
Medium
Published Date
16-Jul-2025
Updated Date
16-Jul-2025
Vulnerabilities
CVE-2025-3871
 
Notes
Description

Broken access control in Fortra's GoAnywhere MFT prior to 7.8.1 allows an attacker to create a denial of service situation when configured to use GoAnywhere One-Time Password (GOTP) email two-factor authentication (2FA) and the user has not set an email address. In this scenario, the attacker may enter the email address of a known user when prompted and the user will be disabled if that user has configured GOTP. 

 

Vulnerabilities

 
Broken Access Control Leads to Limited Denial of Service in GoAnywhere MFT Prior to 7.8.1
Severity
Medium
CVE
CVE-2025-3871
CWE
CWE-862:Missing Authorization
Discovery Date
15-Jul-2025
CSSv3.1
5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Products
GoAnywhere MFT 7.8.0 and earlier
Vulnerability Notes
Remediation: Mitigation

  • Ensure all users configured to use GOTP email for 2FA already have an email set.

  • In situations where the email cannot be set ahead of time (ex: Self-Registration), switch Admin and Web User Templates to use another 2FA option such as Time-based One-Time Password or RADIUS.

 
Remediation: Vendor Fix

Update to GoAnywhere MFT 7.8.1 or higher

 
References
 

References