CVE-2025-1241 MEDIUM

CVE-2025-1241: Encryption vulnerable to brute-force decryption in GoAnywhere MFT

Vendor Fortra
Product GoAnywhere MFT
Weakness CWE-326 · Weak encryption
Published April 21, 2026
Last update April 21, 2026

CVSS base score

5.8/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

Encrypted values in Fortra's GoAnywhere MFT prior to version 7.10.0 and GoAnywhere Agents prior to version 2.2.0 utilize a static IV which allows admin users to brute-force decryption of data.

Key dates

02Disclosure timeline

April 21, 2026 CVE published
April 21, 2026 Record updated