{"api_version":"1","generated_at":"2026-04-23T05:58:24+00:00","cve":"CVE-2025-14362","urls":{"html":"https://cve.report/CVE-2025-14362","api":"https://cve.report/api/cve/CVE-2025-14362.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2025-14362","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2025-14362"},"summary":{"title":"GoAnywhere MFT SFTP Service Login Vulnerable to Brute Force Attack Under Certain Circumstances","description":"The login limit is not enforced on the SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User attempting to be logged in to is configured to log in with an SSH Key, making the SSH key vulnerable to being guessed via Brute Force.","state":"PUBLISHED","assigner":"Fortra","published_at":"2026-04-21 15:16:35","updated_at":"2026-04-21 16:20:24"},"problem_types":["CWE-307","CWE-307 CWE-307 Improper restriction of excessive authentication attempts"],"metrics":[{"version":"3.1","source":"df4dee71-de3a-4139-9588-11b62fe6c0ff","type":"Secondary","score":"7.3","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","baseScore":7.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"7.3","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":7.3,"baseSeverity":"HIGH","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","version":"3.1"}}],"references":[{"url":"https://fortra.com/security/advisories/product-security/FI-2026-002","name":"https://fortra.com/security/advisories/product-security/FI-2026-002","refsource":"df4dee71-de3a-4139-9588-11b62fe6c0ff","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-14362","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-14362","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Fortra","product":"GoAnywhere MFT","version":"affected 7.10.0 semver","platforms":[]}],"timeline":[],"solutions":[{"source":"CNA","title":"","value":"Upgrade to patched version.","time":"","lang":"en"}],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2025","cve_id":"14362","cve":"CVE-2025-14362","epss":"0.000360000","percentile":"0.107160000","score_date":"2026-04-22","updated_at":"2026-04-23 00:03:15"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"GoAnywhere MFT","vendor":"Fortra","versions":[{"lessThan":"7.10.0","status":"affected","version":"0","versionType":"semver"}]}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"The login limit is not enforced on the SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User attempting to be logged in to is configured to log in with an SSH Key, making the SSH key vulnerable to being guessed via Brute Force."}],"value":"The login limit is not enforced on the SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User attempting to be logged in to is configured to log in with an SSH Key, making the SSH key vulnerable to being guessed via Brute Force."}],"impacts":[{"capecId":"CAPEC-49","descriptions":[{"lang":"en","value":"CAPEC-49 Password Brute Forcing"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":7.3,"baseSeverity":"HIGH","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-307","description":"CWE-307 Improper restriction of excessive authentication attempts","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-21T14:14:08.492Z","orgId":"df4dee71-de3a-4139-9588-11b62fe6c0ff","shortName":"Fortra"},"references":[{"url":"https://fortra.com/security/advisories/product-security/FI-2026-002"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Upgrade to patched version."}],"value":"Upgrade to patched version."}],"source":{"discovery":"UNKNOWN"},"title":"GoAnywhere MFT SFTP Service Login Vulnerable to Brute Force Attack Under Certain Circumstances","x_generator":{"engine":"Vulnogram 1.0.1"}}},"cveMetadata":{"assignerOrgId":"df4dee71-de3a-4139-9588-11b62fe6c0ff","assignerShortName":"Fortra","cveId":"CVE-2025-14362","datePublished":"2026-04-21T14:14:08.492Z","dateReserved":"2025-12-09T17:26:54.658Z","dateUpdated":"2026-04-21T14:14:08.492Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-21 15:16:35","lastModifiedDate":"2026-04-21 16:20:24","problem_types":["CWE-307","CWE-307 CWE-307 Improper restriction of excessive authentication attempts"],"metrics":{"cvssMetricV31":[{"source":"df4dee71-de3a-4139-9588-11b62fe6c0ff","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","baseScore":7.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":3.4}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2025","CveId":"14362","Ordinal":"1","Title":"GoAnywhere MFT SFTP Service Login Vulnerable to Brute Force Atta","CVE":"CVE-2025-14362","Year":"2025"},"notes":[{"CveYear":"2025","CveId":"14362","Ordinal":"1","NoteData":"The login limit is not enforced on the SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User attempting to be logged in to is configured to log in with an SSH Key, making the SSH key vulnerable to being guessed via Brute Force.","Type":"Description","Title":"GoAnywhere MFT SFTP Service Login Vulnerable to Brute Force Atta"}]}}}