CVE-2025-8148 is an access control vulnerability identified in Fortra's GoAnywhere Managed File Transfer (MFT) product, specifically affecting the SFTP service prior to version 7.9.0. The issue arises from incorrect permission assignment related to authentication methods. Normally, web users assigned an Authentication Alias and restricted to password-based authentication for SFTP should not be able to authenticate using SSH keys. However, due to improper enforcement of access controls (CWE-732) and authorization checks (CWE-863), these users can bypass the intended restrictions and successfully log in using their SSH keys. This flaw allows an attacker with low-level privileges and a valid SSH key to escalate their access method beyond the configured policy, potentially accessing sensitive file transfer operations. The vulnerability has a CVSS 3.1 base score of 4.2, indicating medium severity, with network attack vector, high attack complexity, low privileges required, no user interaction, and limited impact on confidentiality and integrity but no impact on availability. No public exploits are known, but the vulnerability is publicly disclosed and should be addressed promptly. The root cause is improper permission assignment and insufficient authorization checks in the SFTP authentication logic, which can be mitigated by upgrading to version 7.9.0 or later where the issue is fixed.

For European organizations, this vulnerability poses a risk of unauthorized access to managed file transfer services, which are often used to handle sensitive data such as financial records, personal information, and business-critical files. Unauthorized SSH key authentication could allow attackers to bypass intended authentication restrictions, potentially leading to data leakage or unauthorized data modification. While the impact on availability is negligible, the confidentiality and integrity of transferred data could be compromised. Organizations in sectors such as finance, healthcare, government, and critical infrastructure that rely on GoAnywhere MFT for secure file transfers may face increased risk of data breaches or compliance violations. The medium severity rating suggests that while exploitation is not trivial, the potential consequences warrant timely remediation to avoid lateral movement or privilege escalation within internal networks.

To mitigate this vulnerability, European organizations should immediately upgrade Fortra GoAnywhere MFT to version 7.9.0 or later where the access control issue is resolved. Additionally, review and audit all Authentication Alias configurations to ensure that authentication methods are properly restricted and enforced. Implement strict SSH key management policies, including key rotation and revocation procedures, to limit the risk of unauthorized key usage. Network segmentation and monitoring of SFTP access logs can help detect anomalous authentication attempts. Employ multi-factor authentication (MFA) where possible to add an additional layer of security beyond SSH keys and passwords. Regularly update and patch managed file transfer solutions as part of a robust vulnerability management program. Finally, conduct security awareness training for administrators managing authentication policies to prevent misconfigurations.