CVE-2025-8148 MEDIUM

CVE-2025-8148: CVE-2025-8148 Improper Access Control in SFTP service of GoAnywhere MFT

Vendor Fortra
Product GoAnywhere MFT
Weakness CWE-732
Published December 5, 2025
Last update December 5, 2025

CVSS base score

4.2/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

An Improper Access Control in the SFTP service in Fortra's GoAnywhere MFT prior to version 7.9.0 allows Web Users with an Authentication Alias and a valid SSH key but limited to Password authentication for SFTP to still login using their SSH key.

Key dates

02Disclosure timeline

December 5, 2025 CVE published
December 5, 2025 Record updated