CVE-2025-3871 is a medium-severity vulnerability affecting Fortra's GoAnywhere Managed File Transfer (MFT) software versions prior to 7.8.1. The flaw is classified under CWE-862, which corresponds to missing authorization controls. Specifically, the vulnerability arises when GoAnywhere MFT is configured to use its GoAnywhere One-Time Password (GOTP) email-based two-factor authentication (2FA) mechanism, and a user account has not set an email address. In this scenario, an unauthenticated attacker can supply the email address of a legitimate user during the 2FA prompt. Due to insufficient authorization checks, this action causes the targeted user account to become disabled, effectively creating a denial of service (DoS) condition. The vulnerability does not compromise confidentiality or integrity but impacts availability by preventing legitimate users from accessing the system. The CVSS v3.1 base score is 5.3 (medium), reflecting that the attack vector is network-based, requires no privileges or user interaction, and affects availability only. No known exploits are currently reported in the wild, and no patches or mitigation links were provided at the time of publication. The vulnerability is significant because it allows an attacker to disrupt business operations by disabling user accounts without authentication, leveraging a design flaw in the 2FA implementation and missing authorization validation during the email input step.

For European organizations using Fortra GoAnywhere MFT, this vulnerability poses a risk of operational disruption. GoAnywhere MFT is commonly used for secure file transfers in sectors such as finance, healthcare, manufacturing, and government. A denial of service on user accounts can halt critical file exchange workflows, delay business processes, and impact compliance with data handling regulations like GDPR if data transfers are interrupted. Since the attack requires no authentication or user interaction, it can be executed remotely by any attacker aware of valid user email addresses, which may be obtainable through social engineering or public sources. The impact is primarily on availability, potentially causing downtime or forcing emergency account recovery procedures. Organizations with strict uptime requirements or those relying heavily on automated file transfers may experience significant operational and reputational damage. However, the lack of confidentiality or integrity compromise limits the risk of data breaches or unauthorized data manipulation.

To mitigate this vulnerability, European organizations should prioritize upgrading Fortra GoAnywhere MFT to version 7.8.1 or later once the vendor releases a patch. Until a patch is available, organizations should consider disabling the GOTP email-based 2FA method if feasible, or ensure that all user accounts have verified email addresses configured to prevent triggering the vulnerability. Implementing network-level access controls such as IP whitelisting or VPN requirements can reduce exposure to unauthenticated attackers. Monitoring authentication logs for unusual 2FA failures or account disablement events can help detect exploitation attempts early. Additionally, organizations should review and tighten authorization checks around 2FA workflows and user account management. Incident response plans should include procedures for rapid re-enablement of disabled accounts to minimize downtime. Finally, educating users and administrators about this vulnerability and enforcing strong account management policies will reduce the attack surface.