CVE-2025-3871 MEDIUM

CVE-2025-3871: Broken Access Control Leads to Limited Denial of Service in GoAnywhere MFT 7.8.0 and earlier

Vendor Fortra
Product GoAnywhere MFT
Weakness CWE-862 · Missing authorization
Published July 16, 2025
Last update July 18, 2025

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

Broken access control in Fortra's GoAnywhere MFT prior to 7.8.1 allows an attacker to create a denial of service situation when configured to use GoAnywhere One-Time Password (GOTP) email two-factor authentication (2FA) and the user has not set an email address. In this scenario, the attacker may enter the email address of a known user when prompted and the user will be disabled if that user has configured GOTP.

Key dates

02Disclosure timeline

July 16, 2025 CVE published
July 18, 2025 Record updated

Related vulnerabilities

04Related CVE