CVE-2025-3871

Summary

Broken access control in Fortra's GoAnywhere MFT prior to 7.8.1 allows an attacker to create a denial of service situation when configured to use GoAnywhere One-Time Password (GOTP) email two-factor authentication (2FA) and the user has not set an email address. In this scenario, the attacker may enter the email address of a known user when prompted and the user will be disabled if that user has configured GOTP.

Affected Software

VendorProductVersion RangeStatus
FortraGoAnywhere MFT0 < 7.8.1affected

Weaknesses

  • CWE-862: CWE-862 Missing Authorization

Workarounds

  • Ensure all users configured to use GOTP email for 2FA already have an email set.

  • In situations where the email cannot be set ahead of time (ex: Self-Registration), switch Admin and Web User Templates to use another 2FA option such as Time-based One-Time Password or RADIUS.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References