CVE-2025-8148
📋 TL;DR
This vulnerability allows Web Users in Fortra's GoAnywhere MFT who are configured for password-only SFTP authentication to bypass this restriction and log in using SSH keys. This affects organizations using GoAnywhere MFT versions before 7.9.0 with Web Users configured with Authentication Aliases and SSH keys but limited to password authentication for SFTP.
💻 Affected Systems
- Fortra GoAnywhere MFT
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with valid SSH key credentials could gain unauthorized SFTP access to sensitive files and directories that should only be accessible via password authentication, potentially leading to data exfiltration or unauthorized modifications.
Likely Case
Authorized users with SSH keys could unintentionally or intentionally bypass password-only restrictions to access SFTP resources they shouldn't be able to access via SSH key authentication.
If Mitigated
Limited impact as users would still need valid credentials and proper access controls would limit what they can access even with successful authentication.
🎯 Exploit Status
Exploitation requires valid SSH key credentials and knowledge of the vulnerability. The attacker must already have SSH key access that should be restricted to password-only for SFTP.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.9.0
Vendor Advisory: https://www.fortra.com/security/advisories/product-security/fi-2025-013
Restart Required: Yes
Instructions:
1. Download GoAnywhere MFT version 7.9.0 or later from Fortra support portal. 2. Backup current configuration and data. 3. Stop GoAnywhere MFT services. 4. Install the updated version. 5. Restart GoAnywhere MFT services. 6. Verify functionality.
🔧 Temporary Workarounds
Remove SSH keys from affected users
allRemove SSH public keys from Web Users who should only use password authentication for SFTP
Navigate to Administration > Users > Edit User > Authentication Alias tab > Remove SSH public key
Disable SFTP access for affected users
allTemporarily disable SFTP access for users with this configuration until patching
Navigate to Administration > Users > Edit User > Resources tab > Remove SFTP resource permissions
🧯 If You Can't Patch
- Review and audit all Web Users with Authentication Aliases to ensure SSH keys are only present for users who should have SSH key authentication
- Implement network segmentation to restrict SFTP access to trusted networks only and monitor SFTP authentication logs for unauthorized SSH key usage
🔍 How to Verify
Check if Vulnerable:
Check GoAnywhere MFT version in Administration > About. If version is below 7.9.0, review Web Users with Authentication Aliases that have SSH keys but are limited to password authentication for SFTP.Check Version:
Check version in GoAnywhere MFT web interface under Administration > About or via command line: java -jar goanywhere.jar --versionVerify Fix Applied:
After upgrading to 7.9.0 or later, attempt to authenticate via SFTP using SSH key for a user configured for password-only authentication - this should now fail.📡 Detection & Monitoring
Log Indicators:
- Successful SFTP authentication events using SSH keys for users configured for password-only authentication
- Authentication method mismatch in SFTP logs
Network Indicators:
- SFTP connections using SSH key authentication from users who should only use password authentication
SIEM Query:
source="goanywhere" AND (event_type="sftp_auth" AND auth_method="ssh_key") AND user IN (SELECT user FROM goanywhere_users WHERE sftp_auth_restriction="password_only")