{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-1241", "assignerOrgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "state": "PUBLISHED", "assignerShortName": "Fortra", "dateReserved": "2025-02-11T23:19:04.818Z", "datePublished": "2026-04-21T14:10:09.505Z", "dateUpdated": "2026-04-21T19:33:03.005Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "shortName": "Fortra", "dateUpdated": "2026-04-21T14:10:09.505Z"}, "title": "Encryption vulnerable to brute-force decryption in GoAnywhere MFT", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-326", "description": "CWE-326 Inadequate Encryption Strength", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-20", "descriptions": [{"lang": "en", "value": "CAPEC-20 Encryption Brute Forcing"}]}], "affected": [{"vendor": "Fortra", "product": "GoAnywhere MFT", "platforms": ["Windows", "Linux", "MacOS"], "versions": [{"status": "affected", "version": "0", "lessThan": "7.10.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Encrypted values in Fortra's GoAnywhere MFT prior to version 7.10.0 and GoAnywhere Agents prior to version 2.2.0 utilize a static IV which\u00a0allows admin users to brute-force decryption of data.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Encrypted values in Fortra's GoAnywhere MFT prior to version 7.10.0 and GoAnywhere Agents prior to version 2.2.0 utilize a static IV which allows admin users to brute-force decryption of data."}]}], "references": [{"url": "https://fortra.com/security/advisories/product-security/FI-2026-001"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 5.8, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N"}}], "workarounds": [{"lang": "en", "value": "Restrict access to Admin Client.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Restrict access to Admin Client."}]}], "solutions": [{"lang": "en", "value": "Upgrade to patched version.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Upgrade to patched version."}]}], "credits": [{"lang": "en", "value": "Robin Wolters, Secura", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T19:32:52.852629Z", "id": "CVE-2025-1241", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:33:03.005Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1241", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T19:32:52.852629Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:32:58.757Z"}}], "cna": {"title": "Encryption vulnerable to brute-force decryption in GoAnywhere MFT", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Robin Wolters, Secura"}], "impacts": [{"capecId": "CAPEC-20", "descriptions": [{"lang": "en", "value": "CAPEC-20 Encryption Brute Forcing"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Fortra", "product": "GoAnywhere MFT", "versions": [{"status": "affected", "version": "0", "lessThan": "7.10.0", "versionType": "semver"}], "platforms": ["Windows", "Linux", "MacOS"], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade to patched version.", "supportingMedia": [{"type": "text/html", "value": "Upgrade to patched version.", "base64": false}]}], "references": [{"url": "https://fortra.com/security/advisories/product-security/FI-2026-001"}], "workarounds": [{"lang": "en", "value": "Restrict access to Admin Client.", "supportingMedia": [{"type": "text/html", "value": "Restrict access to Admin Client.", "base64": false}]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Encrypted values in Fortra's GoAnywhere MFT prior to version 7.10.0 and GoAnywhere Agents prior to version 2.2.0 utilize a static IV which\u00a0allows admin users to brute-force decryption of data.", "supportingMedia": [{"type": "text/html", "value": "Encrypted values in Fortra's GoAnywhere MFT prior to version 7.10.0 and GoAnywhere Agents prior to version 2.2.0 utilize a static IV which allows admin users to brute-force decryption of data.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-326", "description": "CWE-326 Inadequate Encryption Strength"}]}], "providerMetadata": {"orgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "shortName": "Fortra", "dateUpdated": "2026-04-21T14:10:09.505Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1241", "state": "PUBLISHED", "dateUpdated": "2026-04-21T19:33:03.005Z", "dateReserved": "2025-02-11T23:19:04.818Z", "assignerOrgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "datePublished": "2026-04-21T14:10:09.505Z", "assignerShortName": "Fortra"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fortra:goanywhere_agents:*:*:*:*:*:*:*:*", "matchCriteriaId": "BAF69EDB-A1CA-44C6-BF04-D85CCBF2BBA0", "versionEndExcluding": "2.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortra:goanywhere_managed_file_transfer:*:*:*:*:*:*:*:*", "matchCriteriaId": "8EB6422D-7B12-41B3-BD42-5610C6C72524", "versionEndExcluding": "7.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E", "vulnerable": false}, {"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Encrypted values in Fortra's GoAnywhere MFT prior to version 7.10.0 and GoAnywhere Agents prior to version 2.2.0 utilize a static IV which\u00a0allows admin users to brute-force decryption of data."}], "id": "CVE-2025-1241", "lastModified": "2026-04-23T14:12:22.117", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 4.0, "source": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-21T15:16:35.320", "references": [{"source": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "tags": ["Vendor Advisory"], "url": "https://fortra.com/security/advisories/product-security/FI-2026-001"}], "sourceIdentifier": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-326"}], "source": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["windows", "linux", "macos"], "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.10.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "GoAnywhere MFT", "source": "cna", "vendor": "Fortra"}, "product": "goanywhere_mft", "vendor": "fortra"}], "analysis": {"en": {"generated_at": "2026-04-21T22:49:00.104872+00:00", "value": {"mitigation_remediation": ["Upgrade GoAnywhere MFT to version 7.10.0 or later", "Upgrade GoAnywhere Agents to version 2.2.0 or later", "Restrict access to the Admin Client to authorized personnel while the patch is deployed"], "summary": {"action": "Immediate Patch", "impact": "Confidentiality Breach"}, "threat_synthesis": {"affected_systems": "Fortra\u2019s GoAnywhere MFT versions earlier than 7.10.0 and GoAnywhere Agents earlier than 2.2.0 are affected. These products are used for secure file transfers and management, and the vulnerable encryption mechanism is employed in configuration and data storage components.", "description_and_impact": "The vulnerability arises from the use of a static initialization vector (IV) in encrypted values handled by GoAnywhere MFT and its agents. Because the IV never changes, an attacker with administrative privileges can perform brute\u2011force trials to decrypt protected data. This weakness falls under CWE\u2011326 and results in the potential exposure of confidential information stored or transmitted by the system. The impact is limited to data confidentiality, while integrity and availability are not directly affected.", "risk_and_exploitability": "The CVSS score of 5.8 reflects a moderate severity. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting limited prior exploitation. The likely attack vector requires privileged admin access, typically through the Admin Client interface. If an attacker gains local or remote administrative control, brute\u2011forcing the static IV can reveal encrypted content."}}}}, "created": "2026-04-21T23:00:03.480690+00:00", "updated": "2026-04-22T11:46:30.567896+00:00", "vendors": ["fortra", "fortra$PRODUCT$goanywhere_mft"]}