CVE-2025-0049

Disclosure of sensitive information in an error message in GoAnywhere prior to version 7.8.0

Description

When a Web User without Create permission on subfolders attempts to upload a file to a non-existent directory, the error message includes the absolute server path which may allow Fuzzing for application mapping. This issue affects GoAnywhere: before 7.8.0.

Remediation

Solution:

  • Upgrade to GoAnywhere 7.8.0 or later.

Workaround:

  • This issue occurs when the Web User does not have Create permission on Subfolders. It is a bug that happens when a user tries to upload a file to a directory that doesn’t exist yet (If they have permissions to create sub directories, then the non-existent directory would be created automatically). Note: This workaround requires supplying an additional permission that the Web User does not have in vulnerable configurations.

Category

3.5
CVSS
Severity: Low
CVSS 3.1 •
EPSS 0.03%
Vendor Advisory fortra.com
Affected: Fortra GoAnywhere
Published at:
Updated at:

References

Link Tags
https://www.fortra.com/security/advisories/product-security/fi-2025-004 vendor advisory

Frequently Asked Questions

What is the severity of CVE-2025-0049?
CVE-2025-0049 has been scored as a low severity vulnerability.
How to fix CVE-2025-0049?
To fix CVE-2025-0049: Upgrade to GoAnywhere 7.8.0 or later.
Is CVE-2025-0049 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-0049 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-0049?
CVE-2025-0049 affects Fortra GoAnywhere.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.