Attack Chain

1. Attacker identifies a GoAnywhere MFT server running a version prior to 7.10.0.
2. Attacker determines that the GoAnywhere MFT server allows Web Users to authenticate using SSH keys.
3. Attacker attempts to authenticate to the SFTP service using a series of generated SSH keys.
4. Due to the lack of login limit enforcement, the attacker can make unlimited authentication attempts without being locked out.
5. The attacker continues brute-forcing SSH keys until a valid key is guessed, or an exploitable weakness is found.
6. Upon successful authentication, the attacker gains unauthorized access to the GoAnywhere MFT server.
7. The attacker can then upload/download arbitrary files, execute commands, and potentially move laterally within the network.
8. The final objective is to exfiltrate sensitive data or establish a persistent foothold within the target environment.

Impact

Successful exploitation of CVE-2025-14362 can lead to unauthorized access to sensitive data managed by the GoAnywhere MFT server. This could include financial records, customer data, intellectual property, and other confidential information. The number of victims is dependent on the exposure of vulnerable GoAnywhere MFT servers. Sectors commonly using MFT solutions, such as finance, healthcare, and government, are at increased risk. The impact of a successful attack can range from data breaches and financial loss to reputational damage and legal liabilities.

Recommendation

• Upgrade Fortra GoAnywhere MFT to version 7.10.0 or later to patch CVE-2025-14362 (reference: Overview).
• Implement rate limiting on SSH authentication attempts at the network or host level to mitigate brute-force attacks, even after patching (reference: Attack Chain).
• Monitor SFTP logs for excessive failed authentication attempts originating from the same source IP address using a Sigma rule similar to the one provided below (reference: Rules).