_explained / goanywhere-sftp-brute-force-ssh-key-vulnerability
HIGH PLAIN ENGLISH 5 min read

A Popular File-Transfer Tool Left Millions of Business Files Open to Guessing Attacks

A flaw in Fortra's GoAnywhere MFT lets attackers endlessly guess SSH login keys with no lockout. Here's what's at risk and how to fix it.

2026-04-21 · Read technical analysis →
💬
PLAIN ENGLISH EDITION

This article is written for general audiences — no security background needed. For the full technical analysis with CVE details, affected versions, and code-level breakdown, visit Intel Reports.

Every payroll file, patient record, and confidential contract moving through thousands of corporate file-transfer systems right now could be unlocked by an attacker who simply keeps guessing — and the software will never stop them.

Who Is at Risk, and How Bad Is This?

Fortra's GoAnywhere Managed File Transfer (MFT) is the invisible plumbing behind sensitive data exchange at banks, hospitals, government agencies, and Fortune 500 companies worldwide. Organizations use it to ship payroll runs between HR platforms, move patient records between hospital systems, and transfer financial data across borders — all automatically, all supposedly securely.

Fortra claims thousands of enterprise customers globally. The vulnerability, tracked as CVE-2025-14362 and rated HIGH severity with a CVSS score of 7.3, affects every version of GoAnywhere MFT prior to 7.10.0. That's a very large window of exposure. Security researchers flag MFT products as high-value targets because compromising one doesn't just expose one company — it can expose every partner, supplier, and client that company exchanges files with. This isn't abstract. The 2023 MOVEit MFT attacks hit over 2,600 organizations and exposed data belonging to more than 77 million people.

What an Attacker Can Actually Do

Here's how secure file transfer is supposed to work: instead of typing in a password every time, a user or automated system is issued a cryptographic key — essentially a very long, machine-generated password. The server recognizes this key and grants access. It's generally considered more secure than a regular password because the key is so complex. But "complex" only matters if the attacker can't just keep trying until they get it right.

That's exactly the problem here. GoAnywhere's SFTP service — the encrypted channel through which all those files travel — has no limit on how many times someone can try to authenticate. For ordinary password-based logins, the limit is apparently enforced. But for accounts set up to log in with an SSH key? The door is left wide open. An attacker who finds or guesses a valid username can point automated software at the server and try millions of key combinations, hour after hour, day after day, with nothing pushing back. No lockout. No alarm. No slowdown.

If they succeed, they don't just read files — they step into the shoes of a trusted automated system. They can download anything that account is permitted to see, upload poisoned files that downstream systems will blindly process, or sit quietly and watch every future transfer. In industries like healthcare, finance, and defense contracting, that access is catastrophic. The stolen data might not appear on the dark web for months, meaning the breach could already be in progress before anyone notices.

The Technical Detail Security Researchers Need to Know

The vulnerability is a rate-limiting bypass in the SFTP subsystem's authentication handler, specifically affecting Web User accounts configured for public-key authentication. The flaw is classified under CWE-307 (Improper Restriction of Excessive Authentication Attempts). Critically, the bypass is conditional — it only triggers when the targeted account's authentication method is set to SSH Key rather than password, meaning organizations that believe they've hardened their accounts by switching away from passwords may have inadvertently made themselves more vulnerable to this specific attack path. The asymmetry in enforcement between authentication methods suggests the rate-limiting logic was implemented at the application layer for password flows but never extended to the key-based authentication code path in the SFTP daemon.

Has This Been Exploited in the Wild?

As of publication, no confirmed active exploitation has been reported. The vulnerability was disclosed through Fortra's coordinated security advisory process, and no specific threat actor campaigns have been attributed to CVE-2025-14362 at this time. However, that window of safety may be short. GoAnywhere vulnerabilities have a grim history of rapid weaponization — CVE-2023-0669, a critical GoAnywhere flaw, was exploited by the Cl0p ransomware gang within days of disclosure, leading to one of the largest mass-exploitation events in recent memory. Security teams should treat the absence of known exploitation as a reason to move fast, not a reason to relax.

The vulnerability was identified and reported through responsible disclosure. Fortra has issued a patch in GoAnywhere MFT version 7.10.0.

What You Need to Do Right Now

If your organization uses GoAnywhere MFT in any capacity — directly or through a managed service provider — take these three steps immediately:

  1. Upgrade to GoAnywhere MFT version 7.10.0 or later — today. This is the only complete fix. Log into your GoAnywhere admin console, navigate to the system update panel, and apply the patch. If you manage this through a vendor or MSP, contact them now and confirm in writing when the update will be applied. Don't accept "we're working on it" — get a specific date and time.
  2. Audit all SFTP Web User accounts configured for SSH key authentication immediately. In the GoAnywhere admin console, pull a full list of Web Users and filter by authentication method. Any account using SSH key authentication on a version prior to 7.10.0 should be treated as potentially exposed. Review access logs for those accounts going back at least 90 days, looking for unusual login times, unfamiliar IP addresses, or abnormally high numbers of authentication events that could indicate brute-force attempts already in progress.
  3. Place your GoAnywhere SFTP interface behind a VPN or IP allowlist if you haven't already. The ability to brute-force this service from the open internet is what makes this flaw dangerous at scale. If your SFTP port (typically 22 or a custom port) is publicly reachable from any IP address, change that now regardless of whether you've patched. Network-level controls — firewall rules, VPN requirements, IP allowlisting for known trading partners — are a critical second layer of defense that limits who can even attempt an attack.

The Bigger Picture

This vulnerability is a reminder that "more secure" is always relative to implementation. SSH keys are genuinely stronger than passwords — unless the system guarding them has no mechanism to stop someone from trying millions of them. Security features exist in layers, and when one layer is missing, the feature it was meant to protect can become a liability. For organizations whose business depends on trusted file exchange, the lesson is the same one MOVEit victims learned the hard way: MFT platforms are crown jewel infrastructure. They deserve crown jewel scrutiny.

CVE-2025-14362 | CVSS 7.3 HIGH | Fixed in GoAnywhere MFT 7.10.0 | No active exploitation confirmed at time of publication.

// TOPICS
#brute-force-attack#sftp-ssh-key#authentication-bypass#rate-limiting-bypass#mft-vulnerability
// WANT MORE DETAIL?

The technical analysis covers the exact vulnerability mechanism, affected code paths, attack chain, detection methods, and full remediation guide.

Read technical analysis →
Share on X → Get weekly digest →
// TOOLS WE RECOMMEND
NordVPN →

Encrypt your traffic against the threats we explain here.
NordPass →

Stop credential theft. Password manager from Nord Security.
Saily eSIM →

Travel privately. eSIM data for 150+ countries, 10% off.

Affiliate links — commission earned at no cost to you.