CVE-2025-8148: Improper Access Control in SFTP service of GoAnywhere MFT
Published Dec 5, 2025
·Updated
An Improper Access Control in the SFTP service in Fortra's GoAnywhere MFT prior to version 7.9.0 allows Web Users with an Authentication Alias and a valid SSH key but limited to Password authentication for SFTP to still login using their SSH key.
Affected Software
2 affected components
Fortra GoAnywhere MFT<7.9.0
Fortra Goanywhere Managed File Transfer<7.9.0
Remediation
Information
Upgrade to remediated version.
Event History
Dec 5, 2025
CVE Published
via MITRE·08:56 PM
Data Sourced
via MITRE·08:56 PM
RemedyDescriptionSeverityWeakness
Data Sourced
via NVD·09:15 PM
DescriptionSeverityWeaknessAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2025-8148?
CVE-2025-8148 has been categorized with a medium severity due to improper access control vulnerabilities.
2
How do I fix CVE-2025-8148?
To fix CVE-2025-8148, upgrade to Fortra's GoAnywhere MFT version 7.9.0 or later.
3
Who is affected by CVE-2025-8148?
Users of Fortra's GoAnywhere MFT prior to version 7.9.0 with an authentication alias and valid SSH key are affected by CVE-2025-8148.
4
What does CVE-2025-8148 allow attackers to do?
CVE-2025-8148 allows attackers to log in via SSH key even when limited to password authentication for SFTP.
5
When was CVE-2025-8148 discovered?
CVE-2025-8148 was publicly disclosed in 2025.