CVE-2025-8148 (GCVE-0-2025-8148)

Vulnerability from cvelistv5 – Published: 2025-12-05 20:56 – Updated: 2025-12-05 21:48
VLAI?
Title
CVE-2025-8148 Improper Access Control in SFTP service of GoAnywhere MFT
Summary
An Improper Access Control in the SFTP service in Fortra's GoAnywhere MFT prior to version 7.9.0 allows Web Users with an Authentication Alias and a valid SSH key but limited to Password authentication for SFTP to still login using their SSH key.
Severity ?
4.2 (Medium)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
CWE
  • CWE-732 - Incorrect Permission Assignment for Critical Resource
  • CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
Vendor Product Version
Fortra GoAnywhere MFT Affected: 0 , < 7.9.0 (custom)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-8148",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-05T21:48:36.023662Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-05T21:48:44.070Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Windows",
            "MacOS",
            "Linux"
          ],
          "product": "GoAnywhere MFT",
          "vendor": "Fortra",
          "versions": [
            {
              "lessThan": "7.9.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An Improper Access Control in the SFTP service in Fortra\u0027s GoAnywhere MFT prior to version 7.9.0 allows Web Users with an Authentication Alias and a valid SSH key but limited to Password authentication for SFTP to still login using their SSH key."
            }
          ],
          "value": "An Improper Access Control in the SFTP service in Fortra\u0027s GoAnywhere MFT prior to version 7.9.0 allows Web Users with an Authentication Alias and a valid SSH key but limited to Password authentication for SFTP to still login using their SSH key."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-180",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-732",
              "description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863 Incorrect Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-05T21:00:51.454Z",
        "orgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff",
        "shortName": "Fortra"
      },
      "references": [
        {
          "url": "https://www.fortra.com/security/advisories/product-security/fi-2025-013"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Upgrade to remediated version.\n\n\u003cbr\u003e"
            }
          ],
          "value": "Upgrade to remediated version."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "CVE-2025-8148 Improper Access Control in SFTP service of GoAnywhere MFT",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Remove any SSH Keys assigned to Web Users that are configured for Password-only authentication to the SFTP service.\n\n\u003cbr\u003e"
            }
          ],
          "value": "Remove any SSH Keys assigned to Web Users that are configured for Password-only authentication to the SFTP service."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff",
    "assignerShortName": "Fortra",
    "cveId": "CVE-2025-8148",
    "datePublished": "2025-12-05T20:56:05.135Z",
    "dateReserved": "2025-07-24T21:27:23.294Z",
    "dateUpdated": "2025-12-05T21:48:44.070Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-8148\",\"sourceIdentifier\":\"df4dee71-de3a-4139-9588-11b62fe6c0ff\",\"published\":\"2025-12-05T21:15:54.907\",\"lastModified\":\"2025-12-08T18:26:49.133\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An Improper Access Control in the SFTP service in Fortra\u0027s GoAnywhere MFT prior to version 7.9.0 allows Web Users with an Authentication Alias and a valid SSH key but limited to Password authentication for SFTP to still login using their SSH key.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"df4dee71-de3a-4139-9588-11b62fe6c0ff\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":4.2,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"df4dee71-de3a-4139-9588-11b62fe6c0ff\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-732\"},{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"references\":[{\"url\":\"https://www.fortra.com/security/advisories/product-security/fi-2025-013\",\"source\":\"df4dee71-de3a-4139-9588-11b62fe6c0ff\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-8148\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-12-05T21:48:36.023662Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-12-05T21:48:39.950Z\"}}], \"cna\": {\"title\": \"CVE-2025-8148 Improper Access Control in SFTP service of GoAnywhere MFT\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"impacts\": [{\"capecId\": \"CAPEC-180\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Fortra\", \"product\": \"GoAnywhere MFT\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"7.9.0\", \"versionType\": \"custom\"}], \"platforms\": [\"Windows\", \"MacOS\", \"Linux\"], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Upgrade to remediated version.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Upgrade to remediated version.\\n\\n\u003cbr\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://www.fortra.com/security/advisories/product-security/fi-2025-013\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Remove any SSH Keys assigned to Web Users that are configured for Password-only authentication to the SFTP service.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Remove any SSH Keys assigned to Web Users that are configured for Password-only authentication to the SFTP service.\\n\\n\u003cbr\u003e\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 0.5.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"An Improper Access Control in the SFTP service in Fortra\u0027s GoAnywhere MFT prior to version 7.9.0 allows Web Users with an Authentication Alias and a valid SSH key but limited to Password authentication for SFTP to still login using their SSH key.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"An Improper Access Control in the SFTP service in Fortra\u0027s GoAnywhere MFT prior to version 7.9.0 allows Web Users with an Authentication Alias and a valid SSH key but limited to Password authentication for SFTP to still login using their SSH key.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-732\", \"description\": \"CWE-732 Incorrect Permission Assignment for Critical Resource\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-863\", \"description\": \"CWE-863 Incorrect Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"df4dee71-de3a-4139-9588-11b62fe6c0ff\", \"shortName\": \"Fortra\", \"dateUpdated\": \"2025-12-05T21:00:51.454Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-8148\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-12-05T21:48:44.070Z\", \"dateReserved\": \"2025-07-24T21:27:23.294Z\", \"assignerOrgId\": \"df4dee71-de3a-4139-9588-11b62fe6c0ff\", \"datePublished\": \"2025-12-05T20:56:05.135Z\", \"assignerShortName\": \"Fortra\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.