CVE-2025-3871: CWE-862 Missing Authorization in Fortra GoAnywhere MFT
Broken access control in Fortra's GoAnywhere MFT prior to 7.8.1 allows an attacker to create a denial of service situation when configured to use GoAnywhere One-Time Password (GOTP) email two-factor authentication (2FA) and the user has not set an email address. In this scenario, the attacker may enter the email address of a known user when prompted and the user will be disabled if that user has configured GOTP.
CVE-2025-3871: CWE-862 Missing Authorization in Fortra GoAnywhere MFT
Description
Broken access control in Fortra's GoAnywhere MFT prior to 7.8.1 allows an attacker to create a denial of service situation when configured to use GoAnywhere One-Time Password (GOTP) email two-factor authentication (2FA) and the user has not set an email address. In this scenario, the attacker may enter the email address of a known user when prompted and the user will be disabled if that user has configured GOTP.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Fortra
- Date Reserved
- 2025-04-22T14:56:48.089Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6877b42ca83201eaacdbbfe5
Added to database: 7/16/2025, 2:16:12 PM
Last updated: 7/16/2025, 2:16:12 PM
Views: 1
Related Threats
CVE-2025-40918: CWE-340 Generation of Predictable Numbers or Identifiers in EHUELS Authen::SASL::Perl::DIGEST_MD5
UnknownCVE-2025-40919: CWE-340 Generation of Predictable Numbers or Identifiers in SALVA Authen::DigestMD5
UnknownCVE-2025-40913: CWE-1395 Dependency on Vulnerable Third-Party Component in ATRODO Net::Dropbear
UnknownCVE-2025-53892: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in intlify vue-i18n
MediumCVE-2025-53840: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in Icinga icingadb-web
LowActions
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.