A unique aspect of Core is the separation between the (web UI & database) and Agents (distributed workers). Security hinges on outbound-only TLS connections from Agents to the Core server, eliminating the need for inbound firewall holes to remote offices.

Security Architecture, Vulnerability Analysis, and Hardening Guidelines Solution: GoAnywhere Core (HelpSystems / Fortra) Report Date: October 26, 2023

Older versions allowed unsanitized input in project variables. Attackers could inject newline characters into logs (log forging) or manipulate JDBC queries if a project used dynamic SQL.

The security posture of GoAnywhere is generally high when properly configured. It supports modern encryption standards, integrates with Identity Providers, and provides detailed audit trails. However, the application has historically been a target for ransomware groups due to specific vulnerabilities in its administrative web interface, necessitating rigorous patch management and network segmentation.

GoAnywhere Core is secure IF :

GoAnywhere Core provides enterprise-grade cryptographic controls and granular RBAC, but its security ultimately depends on and patch velocity . The product's biggest strengths—flexible scripting, multiple protocols, and distributed agents—are also its biggest risk surfaces when mismanaged. A deep security review must treat Core not as a black box but as a stateful orchestrator of secrets, files, and identities, each requiring independent hardening.