CVE-2025-8148 is an improper access control vulnerability classified under CWE-732 (Incorrect Permission Assignment for Critical Resource) and CWE-863 (Incorrect Authorization) affecting Fortra's GoAnywhere Managed File Transfer (MFT) product versions prior to 7.9.0. The vulnerability arises from a flaw in the SFTP service's authentication mechanism. Normally, web users assigned an Authentication Alias with password authentication only should be restricted from using SSH key-based login methods. However, due to incorrect permission assignment, these users can still authenticate using their SSH keys, bypassing intended authentication restrictions. This can lead to unauthorized access to the SFTP service, potentially allowing attackers to access or manipulate sensitive files transferred via the MFT platform. The vulnerability has a network attack vector (AV:N), requires low privileges (PR:L), high attack complexity (AC:H), and does not require user interaction (UI:N). The impact on confidentiality and integrity is low but notable, with no impact on availability. No public exploits are currently known, but the flaw could be leveraged in targeted attacks. The vulnerability was reserved in July 2025 and published in December 2025, with no patch links currently available, indicating organizations must monitor Fortra's updates closely. The issue highlights the importance of strict authentication controls in managed file transfer systems, especially those handling sensitive or regulated data.

For European organizations, this vulnerability poses a risk to the confidentiality and integrity of sensitive data exchanged via GoAnywhere MFT. Unauthorized SSH key-based access could allow attackers to exfiltrate, modify, or delete files, potentially disrupting business operations or violating data protection regulations such as GDPR. Organizations in sectors like finance, healthcare, government, and critical infrastructure that rely on secure file transfers are particularly vulnerable. The flaw could facilitate lateral movement within networks if attackers gain footholds via compromised credentials. Although the CVSS score is medium, the potential for data leakage or manipulation is significant given the critical role of MFT solutions in secure communications. The absence of known exploits suggests limited current threat activity, but the vulnerability could be targeted in future attacks, especially in environments where SSH keys are widely used for automation and access. European entities must assess their exposure based on GoAnywhere MFT deployment and authentication configurations.

Organizations should immediately verify their GoAnywhere MFT versions and upgrade to version 7.9.0 or later once available to address this vulnerability. Until patches are released, administrators should audit and restrict Authentication Alias configurations to ensure SSH key authentication is disabled where not intended. Implement strict key management policies, including revoking unused or unauthorized SSH keys and enforcing multi-factor authentication where possible. Network segmentation and monitoring of SFTP access logs can help detect anomalous login attempts. Employ intrusion detection systems tuned to identify suspicious SSH activity. Regularly review user permissions and authentication methods to prevent privilege escalation. Engage with Fortra support for interim mitigation guidance and monitor official advisories for patches or workarounds. Additionally, conduct penetration testing focused on authentication bypass scenarios to validate controls.