CVE-2025-0049 is a vulnerability identified in Fortra's GoAnywhere managed file transfer solution, affecting versions prior to 7.8.0. The issue stems from improper error handling (classified under CWE-209: Generation of Error Message Containing Sensitive Information). Specifically, when a web user lacking 'Create' permissions on subfolders attempts to upload a file to a directory that does not exist, the application returns an error message that discloses the absolute server file path. This leakage of internal path information can aid an attacker in mapping the application's directory structure through fuzzing techniques, potentially facilitating further targeted attacks or reconnaissance. The vulnerability requires the attacker to have at least some level of authenticated access (as indicated by the CVSS vector's PR:L and UI:R), meaning the attacker must be a logged-in user and interact with the application to trigger the error. The CVSS v3.1 base score is 3.5, categorized as low severity, reflecting limited confidentiality impact and no direct effect on integrity or availability. No known exploits are currently reported in the wild, and no patches are explicitly linked in the provided data, though presumably, remediation would be included in GoAnywhere version 7.8.0 or later.

For European organizations utilizing Fortra GoAnywhere for secure file transfers, this vulnerability poses a moderate risk primarily related to information disclosure. The exposure of absolute server paths can provide attackers with valuable intelligence about the underlying server environment and directory structure, which can be leveraged in subsequent attacks such as privilege escalation, directory traversal, or targeted exploitation of other vulnerabilities. While the direct impact on confidentiality is limited to path disclosure, the indirect risk could be significant if combined with other vulnerabilities or social engineering tactics. Since exploitation requires authenticated access and user interaction, the threat is more relevant in environments where many users have web access to GoAnywhere, including internal users or partners with limited permissions. The vulnerability does not affect system integrity or availability directly, but the information disclosure could facilitate more damaging attacks. European organizations in sectors with high reliance on secure file transfer—such as finance, healthcare, manufacturing, and government—should be particularly vigilant, as attackers may use this information to map critical infrastructure.

To mitigate this vulnerability effectively, European organizations should: 1) Upgrade GoAnywhere installations to version 7.8.0 or later as soon as the patch is available to eliminate the error message leakage. 2) Implement strict access controls and minimize the number of users with upload permissions, especially on subfolders, to reduce the attack surface. 3) Configure custom error handling within GoAnywhere or at the web server level to suppress detailed error messages that reveal internal paths, replacing them with generic, non-informative messages. 4) Monitor application logs for repeated failed upload attempts to non-existent directories, which may indicate reconnaissance activity. 5) Conduct regular security awareness training for users with access to GoAnywhere to recognize and report suspicious behavior. 6) Employ network segmentation and application-layer firewalls to restrict access to the GoAnywhere web interface to trusted users and IP ranges. 7) Review and harden server configurations to limit information disclosure through other channels, complementing the fix for this vulnerability.