Fortra

Known Exploited Fortra Vulnerabilities

The following Fortra vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

The vulnerability CVE-2023-0669: Fortra GoAnywhere MFT Remote Code Execution Vulnerability is in the top 1% of the currently known exploitable vulnerabilities. 3 known exploited Fortra vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.

By the Year

In 2026 there have been 0 vulnerabilities in Fortra. Last year, in 2025 Fortra had 5 security vulnerabilities published. Right now, Fortra is on track to have less security vulnerabilities in 2026 than it did last year.

Recent Fortra Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2025-13532	Dec 16, 2025	CVE-2025-13532: BoKS Server Agent 9.0 Weak Password Hash Defaults Insecure defaults in the Server Agent component of Fortra's Core Privileged Access Manager (BoKS) can result in the selection of weak password hash algorithms.  This issue affects BoKS Server Agent 9.0 instances that support yescrypt and are running in a BoKS 8.1 domain.
CVE-2025-8148	Dec 05, 2025	Improper Access Control in Fortra GoAnywhere MFT SFTP <7.9.0 An Improper Access Control in the SFTP service in Fortra's GoAnywhere MFT prior to version 7.9.0 allows Web Users with an Authentication Alias and a valid SSH key but limited to Password authentication for SFTP to still login using their SSH key.
CVE-2025-10035	Sep 18, 2025	Deserialization Vulnerability in Fortra GoAnywhere MFT License Servlet A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.
CVE-2024-11922	Apr 28, 2025	GoAnywhere MFT 7.7 Web Client XSS via email HTML/JS injection Missing input validation in certain features of the Web Client of Fortra's GoAnywhere prior to version 7.8.0 allows an attacker with permission to trigger emails to insert arbitrary HTML or JavaScript into an email.	Goanywhere Managed File Transfer
CVE-2025-0049	Apr 28, 2025	GoAnywhere up to 7.7: Path Leak via Invalid File Upload When a Web User without Create permission on subfolders attempts to upload a file to a non-existent directory, the error message includes the absolute server path which may allow Fuzzing for application mapping. This issue affects GoAnywhere: before 7.8.0.	Goanywhere Managed File Transfer
CVE-2024-8264	Oct 09, 2024	Fortra Robot Schedule Enterprise Agent <3.05 Log Disclosure of FTP Credentials Fortra's Robot Schedule Enterprise Agent prior to version 3.05 writes FTP username and password information to the agent log file when detailed logging is enabled.	Robot Schedule
CVE-2024-6633	Aug 27, 2024	FileCatalyst Workflow HSQLDB Default Credentials Exposure The default credentials for the setup HSQL database (HSQLDB) for FileCatalyst Workflow are published in a vendor knowledgebase article. Misuse of these credentials could lead to a compromise of confidentiality, integrity, or availability of the software. The HSQLDB is only included to facilitate installation, has been deprecated, and is not intended for production use per vendor guides. However, users who have not configured FileCatalyst Workflow to use an alternative database per recommendations are vulnerable to attack from any source that can reach the HSQLDB.	Filecatalyst Workflow
CVE-2024-6632	Aug 27, 2024	FileCatalyst Workflow SQLi via Super Admin Field A vulnerability exists in FileCatalyst Workflow whereby a field accessible to the super admin can be used to perform an SQL injection attack which can lead to a loss of confidentiality, integrity, and availability.	Filecatalyst Workflow
CVE-2024-25157	Aug 14, 2024	Auth Bypass in GoAnywhere MFT <7.6.0 Agent Console An authentication bypass vulnerability in GoAnywhere MFT prior to 7.6.0 allows Admin Users with access to the Agent Console to circumvent some permission checks when attempting to visit other pages. This could lead to unauthorized information disclosure or modification.	Goanywhere Managed File Transfer
CVE-2024-5276	Jun 25, 2024	SQL Injection in Fortra FileCatalyst Workflow <=5.1.6 Build 135 A SQL Injection vulnerability in Fortra FileCatalyst Workflow allows an attacker to modify application data.  Likely impacts include creation of administrative users and deletion or modification of data in the application database. Data exfiltration via SQL injection is not possible using this vulnerability. Successful unauthenticated exploitation requires a Workflow system with anonymous access enabled, otherwise an authenticated user is required. This issue affects all versions of FileCatalyst Workflow from 5.1.6 Build 135 and earlier.	Filecatalyst Workflow
CVE-2024-0259	Mar 28, 2024	Fortra Robot Schedule Enterprise Agent 3.04 PrivEsc via exe overwrite Fortra's Robot Schedule Enterprise Agent for Windows prior to version 3.04 is susceptible to privilege escalation. A low-privileged user can overwrite the service executable. When the service is restarted, the replaced binary runs with local system privileges, allowing a low-privileged user to gain elevated privileges.	Robot Schedule
CVE-2024-25156	Mar 14, 2024	GoAnywhere MFT <7.4.2 Path Traversal bypassing endpoint permissions A path traversal vulnerability exists in GoAnywhere MFT prior to 7.4.2 which allows attackers to circumvent endpoint-specific permission checks in the GoAnywhere Admin and Web Clients.	Goanywhere Managed File Transfer
CVE-2024-25154	Mar 13, 2024	FileCatalyst Direct 3.8.8- prior: Improper URL Validation Path Traversal Improper URL validation leads to path traversal in FileCatalyst Direct 3.8.8 and earlier allowing an encoded payload to cause the web server to return files located outside of the web root which may lead to data leakage.	Filecatalyst Direct
CVE-2024-25153	Mar 13, 2024	FileCatalyst Workflow: FTP Servlet Dir Traversal Enables Arbitrary File Uploads A directory traversal within the ftpservlet of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended uploadtemp directory with a specially crafted POST request. In situations where a file is successfully uploaded to web portals DocumentRoot, specially crafted JSP files could be used to execute code, including web shells.	Filecatalyst Workflow Filecatalyst
CVE-2024-25155	Mar 13, 2024	FileCatalyst Direct 3.8.8 ASG WebServer XSS via Unsanitized URL In FileCatalyst Direct 3.8.8 and earlier through 3.8.6, the web server does not properly sanitize illegal characters in a URL which is then displayed on a subsequent error page. A malicious actor could craft a URL which would then execute arbitrary code within an HTML script tag.	Filecatalyst Direct
CVE-2024-0204	Jan 22, 2024	GoAnywhere MFT <7.4.1 Auth Bypass: Admin Creation via Portal Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.	Goanywhere Managed File Transfer
CVE-2023-6253	Nov 22, 2023	Local Retrieval of Uninstall Key in DG Agent 7.9.3 Uninstaller A saved encryption key in the Uninstaller in Digital Guardian's Agent before version 7.9.4 allows a local attacker to retrieve the uninstall key and remove the software by extracting the uninstaller key from the memory of the uninstaller file.	Digital Guardian Agent
CVE-2021-26837	Sep 19, 2023	SQLi Vulnerability CVE202126837 in Fortra DeliverNow <1.2.18 (SearchTextBox) SQL Injection vulnerability in SearchTextBox parameter in Fortra (Formerly HelpSystems) DeliverNow before version 1.2.18, allows attackers to execute arbitrary code, escalate privileges, and gain sensitive information.	Delivernow
CVE-2023-0669	Feb 06, 2023	Pre-auth Cmd Injection in Fortra GoAnywhere MFT pre-7.1.2 Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. This issue was patched in version 7.1.2.	Goanywhere Managed File Transfer