SB20260619125 - Multiple vulnerabilities in GoAnywhere MFT
Published: June 19, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 vulnerabilities.
1) Inadequate Encryption Strength (CVE-ID: CVE-2025-1241)
CWE-ID: CWE-326 - Inadequate Encryption Strength
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to inadequate encryption strength in the encryption implementation when processing encrypted values. A remote privileged user can brute-force decryption of data to disclose sensitive information.
The issue is caused by the use of a static IV.
2) Improper Restriction of Excessive Authentication Attempts (CVE-ID: CVE-2025-14362)
CWE-ID: CWE-307 - Improper Restriction of Excessive Authentication Attempts
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass login attempt restrictions and guess an SSH key.
The vulnerability exists due to improper restriction of excessive authentication attempts in the SFTP service login mechanism when processing login attempts for a web user configured to authenticate with an SSH key. A remote attacker can send repeated authentication attempts to bypass login attempt restrictions and guess an SSH key.
Only web users configured to log in with an SSH key are affected.
3) Insufficient Session Expiration (CVE-ID: CVE-2026-0971)
CWE-ID: CWE-613 - Insufficient Session Expiration
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to disclose limited sensitive information.
The vulnerability exists due to insufficient session expiration in SAML session handling when a session times out. A remote attacker can cause a victim to interact with the regular login page instead of the SAML login page to disclose limited sensitive information.
User interaction is required.
CWE-ID: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to trigger arbitrary DNS lookups and disclose sensitive information.
The vulnerability exists due to improper neutralization of special elements in output used by a downstream component in user-controlled HTTP header processing when handling requests. A remote attacker can send a specially crafted request to trigger arbitrary DNS lookups and disclose sensitive information.
The issue may also enable DNS rebinding.
CWE-ID: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to inject HTML content into system generated emails.
The vulnerability exists due to improper neutralization of special elements in output used by a downstream component in system generated emails when generating email content. A remote user can inject crafted HTML content to inject HTML content into system generated emails.
User interaction is required to view the generated email content.
Remediation
Install update from vendor's website.
References
- https://www.fortra.com/security/advisories/product-security/fi-2026-001
- https://www.fortra.com/security/advisories/product-security/fi-2026-002
- https://www.fortra.com/security/advisories/product-security/fi-2026-003
- https://www.fortra.com/security/advisories/product-security/fi-2026-005
- https://www.fortra.com/security/advisories/product-security/fi-2026-006