CVE-2025-3871: 
GoAnywhere MFT vulnerability analysis and mitigation

CVE-2025-3871 is a broken access control vulnerability discovered in Fortra's GoAnywhere MFT versions prior to 7.8.1. The vulnerability was discovered on July 15, 2025, and publicly disclosed on July 16, 2025. This security flaw affects the GoAnywhere One-Time Password (GOTP) email two-factor authentication (2FA) functionality of the software (Fortra Advisory).

The vulnerability is classified as CWE-862 (Missing Authorization) with a CVSS v3.1 base score of 5.3 (Medium severity). The vulnerability vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, indicating network accessibility, low attack complexity, no privileges required, no user interaction needed, unchanged scope, and low impact on availability (Fortra Advisory).

When exploited, this vulnerability allows an attacker to create a denial of service situation specifically targeting users configured to use GOTP. If a user has GOTP configured but hasn't set an email address, an attacker can enter the email address of a known user when prompted, resulting in that user being disabled (Fortra Advisory).

Two mitigation options are available: 1) Ensure all users configured to use GOTP email for 2FA have an email address set beforehand, 2) In situations where email cannot be set ahead of time (e.g., Self-Registration), switch Admin and Web User Templates to use alternative 2FA options such as Time-based One-Time Password or RADIUS. The permanent fix is to update to GoAnywhere MFT version 7.8.1 or higher (Fortra Advisory).