Critical Exploit Released for Fortra’s GoAnywhere MFT Authentication Bypass Vulnerability
January 23, 2024
A critical vulnerability in Fortra's GoAnywhere MFT (Managed File Transfer) software has been targeted with an exploit code. This software, which operates as a web-based managed file transfer tool, is used by organizations to securely transfer files and maintain audit logs of file access. The flaw, identified as CVE-2024-0204, allows attackers to create new administrative users on instances that have not been patched via the administration portal.
Fortra addressed the bug silently with the release of GoAnywhere MFT 7.4.1 on December 7, but only publicly disclosed the issue recently. Prior to the fix, Fortra had issued private advisories to customers, urging them to secure their MFT services to protect their data. Administrators who have not yet upgraded to the latest version are advised to eliminate the attack vector.
It has been confirmed by Fortra that there have been no reported attacks exploiting this vulnerability. However, security researchers from Horizon3's Attack Team have now published a technical analysis of the vulnerability and shared a proof-of-concept (PoC) exploit. This exploit utilizes the path traversal issue at the core of CVE-2024-0204 to access the vulnerable /InitialAccountSetup.xhtml endpoint and initiate the initial account setup screen to create a new administrator account.
Zach Hanley, Chief Attack Engineer at Horizon3, stated, "The easiest indicator of compromise that can be analyzed is for any new additions to the 'Admin users' group in the GoAnywhere administrator portal Users -> Admin Users section." He added that if the attacker has left this user, its last logon activity could be observed to estimate the date of compromise.
With Horizon3's PoC exploit release, it is highly likely that threat actors will begin scanning for and compromising all unpatched GoAnywhere MFT instances. The Clop ransomware gang has previously exploited a critical remote code execution flaw (CVE-2023-0669) in the GoAnywhere MFT software, breaching over 100 organizations.
This pattern of attacks on MFT platforms is part of a larger trend. Instances include the breach of Accellion FTA servers in December 2020, SolarWinds Serv-U servers in 2021, and the widespread exploitation of MOVEit Transfer servers starting June 2023.
Related News
- Critical Authentication Bypass Vulnerability in GoAnywhere MFT: Urgent Patch Recommended
- MGM Under Fire for Repeated Cybersecurity Lapses: BlackCat Ransomware Gang Suspected
- Rise in Ransomware Attacks Through Zero-Day Exploits: An Analysis
- Brightline Data Breach Affects Over 780K Pediatric Mental Health Patients
- Fortra Investigates GoAnywhere MFT Zero-Day Exploits by Clop Ransomware Gang
Latest News
- Critical Authentication Bypass Vulnerability in GoAnywhere MFT: Urgent Patch Recommended
- CISA Adds VMware vCenter Server Bug to Known Exploited Vulnerabilities Catalogue
- Apple Addresses First Zero-Day Exploit of the Year Impacting Multiple Devices
- Ivanti Warns of Vulnerability in VPN Appliances Due to New Configurations
- Outlook and Windows Programs Targeted by New NTLM Hash Leak Attacks
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.