CVE-2025-14362 Overview
CVE-2025-14362 is a brute force vulnerability affecting Fortra's GoAnywhere Managed File Transfer (MFT) solution prior to version 7.10.0. The vulnerability exists because the SFTP service fails to enforce login attempt limits when a Web User is configured for SSH key authentication. This improper restriction of excessive authentication attempts (CWE-307) allows attackers to conduct brute force attacks against SSH keys without being rate-limited or locked out.
Critical Impact
Attackers can perform unlimited SSH key guessing attempts against the SFTP service, potentially compromising user accounts configured with weak or predictable SSH keys without triggering account lockout mechanisms.
Affected Products
- Fortra GoAnywhere Managed File Transfer versions prior to 7.10.0
- SFTP service with Web Users configured for SSH key authentication
- All deployment environments running vulnerable versions
Discovery Timeline
- 2026-04-21 - CVE-2025-14362 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-14362
Vulnerability Analysis
This authentication bypass vulnerability stems from inconsistent enforcement of login rate limiting controls within the GoAnywhere MFT SFTP service. While the platform implements login attempt limits for standard credential-based authentication, these protective mechanisms are not properly applied when users authenticate via SSH keys.
The flaw specifically affects Web User accounts that have been configured to use SSH key-based authentication. In a properly secured implementation, failed authentication attempts should be counted and enforced regardless of the authentication method. However, the vulnerable versions of GoAnywhere MFT fail to track or limit failed SSH key authentication attempts, creating a significant security gap.
An attacker exploiting this vulnerability can systematically attempt to authenticate using different SSH keys without triggering the platform's normal brute force protection mechanisms. This is particularly concerning in enterprise environments where GoAnywhere MFT is used for sensitive file transfers.
Root Cause
The root cause is classified as CWE-307: Improper Restriction of Excessive Authentication Attempts. The SFTP service implementation contains a logic flaw where the login attempt counter and lockout mechanism are bypassed for SSH key authentication flows. The authentication pathway for SSH keys does not properly integrate with the existing rate limiting infrastructure that protects password-based logins, resulting in an unprotected attack surface.
Attack Vector
The attack is network-based and can be executed remotely without any prior authentication or user interaction. An attacker can target the SFTP service endpoint and attempt repeated SSH key authentications against known user accounts.
The attack methodology involves connecting to the target's SFTP service and systematically attempting authentication with different SSH key pairs. Because the login limit is not enforced, an attacker can make unlimited attempts to guess or brute force valid SSH keys. This is particularly effective against organizations that may have users with weak or commonly used SSH key pairs, or in scenarios where partial key information has been leaked.
Detection Methods for CVE-2025-14362
Indicators of Compromise
- Abnormally high volume of failed SSH key authentication attempts from single IP addresses
- Rapid succession of SFTP connection attempts targeting specific user accounts
- Authentication logs showing thousands of failed key exchanges without triggering lockouts
- Unusual connection patterns to SFTP service ports from external IP addresses
Detection Strategies
- Monitor SFTP authentication logs for excessive failed login attempts per user account
- Implement external rate limiting at the network or firewall level for SFTP connections
- Configure SIEM alerts for brute force patterns targeting SSH key authentication
- Review GoAnywhere MFT audit logs for signs of systematic authentication probing
Monitoring Recommendations
- Enable detailed logging for all SFTP authentication attempts including SSH key failures
- Implement network-level monitoring for connection rates to GoAnywhere MFT services
- Set up alerting thresholds for failed authentication attempts per source IP and target account
- Regularly audit Web User accounts configured for SSH key authentication
How to Mitigate CVE-2025-14362
Immediate Actions Required
- Upgrade Fortra GoAnywhere MFT to version 7.10.0 or later immediately
- Implement network-level rate limiting for SFTP service connections as an interim control
- Review and audit all Web User accounts configured for SSH key authentication
- Consider temporarily disabling SSH key authentication until the patch is applied
Patch Information
Fortra has addressed this vulnerability in GoAnywhere MFT version 7.10.0. Organizations should upgrade to this version or later to ensure the login limit is properly enforced for SFTP service SSH key authentication. Detailed patch information is available in the Fortra Security Advisory FI-2026-002.
Workarounds
- Deploy external rate limiting controls at firewall or load balancer level for SFTP traffic
- Restrict SFTP service access to known IP addresses using network ACLs or firewall rules
- Enforce strong SSH key policies requiring minimum key lengths and modern algorithms
- Consider implementing multi-factor authentication for sensitive file transfer operations
- Monitor and alert on unusual SFTP connection patterns while awaiting patch deployment
# Example: Implement firewall rate limiting for SFTP connections (iptables)
# Limit new SFTP connections to 10 per minute per source IP
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
