CVE-2025-0049

Summary

When a Web User without Create permission on subfolders attempts to upload a file to a non-existent directory, the error message includes the absolute server path which may allow Fuzzing for application mapping. This issue affects GoAnywhere: before 7.8.0.

Affected Software

VendorProductVersion RangeStatus
FortraGoAnywhere0 < 7.8affected

Weaknesses

  • CWE-209: CWE-209 Generation of Error Message Containing Sensitive Information

Workarounds

This issue occurs when the Web User does not have Create permission on Subfolders. It is a bug that happens when a user tries to upload a file to a directory that doesn’t exist yet (If they have permissions to create sub directories, then the non-existent directory would be created automatically).

Note: This workaround requires supplying an additional permission that the Web User does not have in vulnerable configurations.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References