Full Report
Fortra security advisory (AV26-374)
Analysis Summary
# Vulnerability: Fortra GoAnywhere MFT SFTP Brute Force Vulnerability
## CVE Details
- **CVE ID:** CVE-2026-XXXXX (Specific IDs not explicitly provided in the summary text, referenced as FI-2026-002 and FI-2026-004)
- **CVSS Score:** Not explicitly listed in the source advisory (Typically rated Medium/High for brute force vulnerabilities)
- **CWE:** CWE-307 (Improper Restriction of Excessive Authentication Attempts)
## Affected Systems
- **Products:** Fortra GoAnywhere MFT
- **Versions:** All versions prior to 7.10.0
- **Configurations:** Systems running the SFTP Service with specific authentication configurations enabled.
## Vulnerability Description
The GoAnywhere MFT SFTP service is vulnerable to brute force attacks under certain circumstances. The flaw involves an improper restriction of login attempts, which allows an attacker to repeatedly attempt to guess credentials for SFTP accounts. If successful, this enables unauthorized access to the file transfer system and any sensitive data hosted within the user's account.
## Exploitation
- **Status:** Potential for exploitation (No specific reports of active exploitation in the wild mentioned in the summary)
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Unauthorized access to files and user data)
- **Integrity:** Medium (Potential for unauthorized file modification or deletion)
- **Availability:** Low (Possible account lockout, but primary impact is unauthorized access)
## Remediation
### Patches
- **Update to GoAnywhere MFT version 7.10.0 or later.** This version includes fixes for the SFTP service login vulnerabilities (FI-2026-002 and FI-2026-004).
### Workarounds
- Implement strong password policies and multi-factor authentication (MFA) to mitigate the success of brute force attempts.
- Restrict SFTP access to known, trusted IP addresses via firewall or IP filtering rules.
- Review and enable lockout policies within the GoAnywhere administrative console to disable accounts after a set number of failed attempts.
## Detection
- **Indicators of Compromise:** Unusual spikes in failed login attempts originating from single or multiple external IP addresses targeting the SFTP service.
- **Detection methods and tools:**
- Review GoAnywhere "Audit Logs" specifically for SFTP Login failure events.
- Utilize SIEM tools to alert on high-frequency authentication failures (Brute force patterns).
## References
- Fortra Security Advisory FI-2026-002: hxxps[://]www[.]fortra[.]com/security/advisories/product-security/fi-2026-002
- Fortra Security Advisory FI-2026-004: hxxps[://]www[.]fortra[.]com/security/advisories/product-security/fi-2026-004
- Fortra Product CVEs: hxxps[://]www[.]fortra[.]com/security/advisories/product-security
- Canadian Centre for Cyber Security Advisory (AV26-374): hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/fortra-security-advisory-av26-374