CVE-2025-14362

High

Published: 21 April 2026

Published

21 April 2026

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0005 15.5th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-14362 is a high-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Fortra Goanywhere Managed File Transfer. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 15.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Brute Force (T1110). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-7 Unsuccessful Logon Attempts good match

prevent

Directly enforces limits on consecutive invalid logon attempts across authentication methods, preventing brute-force guessing of SSH keys on the SFTP service for Web Users.

SI-2 Flaw Remediation good match

prevent

Requires risk-based flaw remediation including patching to GoAnywhere MFT 7.10.0 or later, which enforces login limits on SFTP for SSH key-authenticated Web Users.

AU-12 Audit Record Generation partial match

detect

Generates audit records for authentication events such as unsuccessful SFTP logons, enabling identification of brute-force attempts against SSH keys.

MITRE ATT&CK Enterprise TechniquesAI

T1110 Brute Force Credential Access

Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.

attack.mitre.org →

Why these techniques?

Directly enables brute-force guessing of SSH keys via missing rate limits on SFTP authentication (CWE-307).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The login limit is not enforced on the SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User attempting to be logged in to is configured to log in with an SSH Key, making the SSH key…

vulnerable to being guessed via Brute Force.

Deeper analysisAI

CVE-2025-14362 is a vulnerability in Fortra's GoAnywhere MFT versions prior to 7.10.0, specifically affecting the SFTP service. The issue stems from a failure to enforce login limits when a Web User is configured for SSH key authentication. This exposes SSH keys to brute-force guessing attacks, as rate limiting does not apply in this scenario. The vulnerability is classified under CWE-307 (Improper Restriction of Excessive Authentication Attempts) and carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

Remote attackers require no privileges or user interaction to exploit this flaw over the network. By repeatedly attempting SSH key logins against the SFTP service for affected Web Users, adversaries can guess valid keys through brute force, bypassing intended login restrictions. Successful exploitation grants limited impact on confidentiality, integrity, and availability, potentially enabling unauthorized file transfers or other SFTP operations tied to the compromised account.

Fortra's security advisory FI-2026-002 addresses mitigation for this vulnerability. Affected organizations should upgrade to GoAnywhere MFT 7.10.0 or later, which enforces login limits on SFTP for SSH key-authenticated Web Users, preventing brute-force attempts.