Primary

Context

Fortra GoAnywhere MFT and GoAnywhere Agents Static IV Vulnerability Allowing Brute-Force Decryption

Vulnerability

A vulnerability exists in Fortra's GoAnywhere MFT versions prior to 7.10.0 and GoAnywhere Agents versions prior to 2.2.0, where encrypted values use a static initialization vector (IV). This flaw enables admin users to brute-force the decryption of data.

Impact

Exploitation of this vulnerability could lead to unauthorized decryption of sensitive data, potentially allowing for data exposure or misuse.

Remediation

Users are advised to update to Fortra GoAnywhere MFT version 7.10.0 or later, and GoAnywhere Agents version 2.2.0 or later.

Added: Apr 21, 2026, 3:47 PM

Updated: Apr 21, 2026, 3:47 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

2.5

exploitability

3.5

remediation

0.0

relevance

6.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

2.5

exploitability

3.5

remediation

0.0

relevance

6.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Fortra GoAnywhere MFT and GoAnywhere Agents Static IV Vulnerability Allowing Brute-Force Decryption

Vulnerability

Impact

Remediation

Affected Products

Fortra GoAnywhere MFT

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating