Critical Authentication Bypass Vulnerability in GoAnywhere MFT: Urgent Patch Recommended

January 23, 2024

Fortra is alerting users to a new authentication bypass vulnerability affecting GoAnywhere MFT versions prior to 7.4.1. This vulnerability could enable an attacker to create a new administrative user. GoAnywhere MFT, a tool used globally for secure file transfers with business partners and customers, offers features such as secure encryption protocols, automation, centralized control, and a range of logging and reporting tools useful for legal compliance and auditing.

The flaw, designated as CVE-2024-0204, is considered critical, with a CVSS v3.1 score of 9.8. It is remotely exploitable, allowing an unauthorized user to create admin users through the product’s administration portal. This could lead to a complete device takeover, enabling attackers to access sensitive data, introduce malware, and potentially launch further attacks within the network.

This vulnerability affects Fortra GoAnywhere MFT 6.x from 6.0.1 and Fortra GoAnywhere MFT 7.4.0 and earlier. The issue has been resolved in GoAnywhere MFT 7.4.1, released on December 7, 2023. Fortra strongly recommends all users to install the latest update (currently 7.4.1) to mitigate the vulnerability. In addition to this, Fortra also provides two manual mitigation pathways in its advisory.

The vulnerability, CVE-2024-0204, was first discovered on December 1, 2023, by Mohammed Eldeeb and Islam Elrfai from Spark Engineering Consultants. Despite the significant time that has passed since the initial disclosure, Fortra hasn't clarified whether the vulnerability is being actively exploited. However, with the release of mitigations and hints about the bug's location, it wouldn't be surprising if proof-of-concept exploits were released soon.

In early 2023, the Clop ransomware gang exploited a critical remote code execution flaw in GoAnywhere MFT, tracked as CVE-2023-0669. The flaw had been exploited as a zero-day vulnerability since January 18, 2023. Fortra became aware of this on February 3, 2023, and released patches three days later. Unfortunately, the Clop ransomware gang had already conducted widespread data theft attacks, impacting organizations worldwide, causing data leaks, operational disruptions, and reputational damage. Notable victims of these attacks include Crown Resorts, CHS, Hatch Bank, Rubrik, the City of Toronto, Hitachi Energy, Procter & Gamble, and Saks Fifth Avenue.

Given these circumstances, organizations using Fortra GoAnywhere MFT are advised to apply the available security updates and recommended mitigations as soon as possible, and to closely monitor their logs for any suspicious activity.

Related News

• MGM Under Fire for Repeated Cybersecurity Lapses: BlackCat Ransomware Gang Suspected
• Rise in Ransomware Attacks Through Zero-Day Exploits: An Analysis
• Brightline Data Breach Affects Over 780K Pediatric Mental Health Patients
• Fortra Investigates GoAnywhere MFT Zero-Day Exploits by Clop Ransomware Gang
• Crown Resorts Investigates Cl0p Ransomware Group's Data Theft Claims

Latest News

• CISA Adds VMware vCenter Server Bug to Known Exploited Vulnerabilities Catalogue
• Apple Addresses First Zero-Day Exploit of the Year Impacting Multiple Devices
• Ivanti Warns of Vulnerability in VPN Appliances Due to New Configurations
• Outlook and Windows Programs Targeted by New NTLM Hash Leak Attacks
• Critical Atlassian Confluence RCE Flaw Under Active Exploitation