Critical Exploit Released for Fortra’s GoAnywhere MFT Authentication Bypass Vulnerability

January 23, 2024

A critical vulnerability in Fortra's GoAnywhere MFT (Managed File Transfer) software has been targeted with an exploit code. This software, which operates as a web-based managed file transfer tool, is used by organizations to securely transfer files and maintain audit logs of file access. The flaw, identified as CVE-2024-0204, allows attackers to create new administrative users on instances that have not been patched via the administration portal.

Fortra addressed the bug silently with the release of GoAnywhere MFT 7.4.1 on December 7, but only publicly disclosed the issue recently. Prior to the fix, Fortra had issued private advisories to customers, urging them to secure their MFT services to protect their data. Administrators who have not yet upgraded to the latest version are advised to eliminate the attack vector.

It has been confirmed by Fortra that there have been no reported attacks exploiting this vulnerability. However, security researchers from Horizon3's Attack Team have now published a technical analysis of the vulnerability and shared a proof-of-concept (PoC) exploit. This exploit utilizes the path traversal issue at the core of CVE-2024-0204 to access the vulnerable /InitialAccountSetup.xhtml endpoint and initiate the initial account setup screen to create a new administrator account.

Zach Hanley, Chief Attack Engineer at Horizon3, stated, "The easiest indicator of compromise that can be analyzed is for any new additions to the 'Admin users' group in the GoAnywhere administrator portal Users -> Admin Users section." He added that if the attacker has left this user, its last logon activity could be observed to estimate the date of compromise.

With Horizon3's PoC exploit release, it is highly likely that threat actors will begin scanning for and compromising all unpatched GoAnywhere MFT instances. The Clop ransomware gang has previously exploited a critical remote code execution flaw (CVE-2023-0669) in the GoAnywhere MFT software, breaching over 100 organizations.

This pattern of attacks on MFT platforms is part of a larger trend. Instances include the breach of Accellion FTA servers in December 2020, SolarWinds Serv-U servers in 2021, and the widespread exploitation of MOVEit Transfer servers starting June 2023.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.