Fortra has revealed a critical vulnerability in its GoAnywhere MFT (Managed File Transfer) software—an authentication bypass that poses a significant security risk. Exploiting this vulnerability successfully could enable attackers to create a new admin user, potentially opening the door for further malicious actions.
GOANYWHERE MFT VULNERABILITY
GoAnywhere MFT is a widely employed secure managed file transfer solution, streamlining the seamless exchange of data among systems, employees, customers, and trading partners globally.
The vulnerability, designated as CVE-2024-0204 with a CVSS score of 9.8, has the potential to allow a remote unauthorized attacker to create users with admin-level privileges through the product’s administration portal. This poses severe consequences, including unauthorized access to sensitive data, potential malware infections, and even the risk of a complete device takeover.
Uncovered on December 1, 2023, Fortra promptly tackled the issue on December 7 by releasing GoAnywhere MFT version 7.4.1. Following the detection of the vulnerability, private advisories were swiftly sent to customers within days. However, a public security advisory, albeit limited in information, has been issued only recently.
The versions impacted by this vulnerability are as follows:
- Fortra GoAnywhere MFT 6.x starting from 6.0.1
- Fortra GoAnywhere MFT 7.4.0 and earlier
As of now, there are no reported instances of active exploitation of CVE-2024-0204 in the wild.
Fortra’s GoAnywhere MFT, a widely-used file transfer product for businesses, has been a target for threat actors. The software was previously impacted by a significant vulnerability, CVE-2023-0669, serving as an entry point for ransomware attacks by the notorious Cl0p Ransomware.
Exploiting CVE-2023-0669 provided malicious actors with Remote Code Execution (RCE) capabilities, albeit requiring access to the application’s administrative console.
In addition to Cl0p, the GoAnywhere MFT RCE vulnerability was exploited by ransomware groups such as LockBit and BlackCat (ALPHV), contributing to a 91% increase in ransomware attacks in a single month.
GoAnywhere MFT is not the sole target of such threats; similar attacks have been observed against Progress Software’s MOVEit Transfer, another file transfer software, by the Cl0p ransomware group. In 2023, this ransomware actor disrupted numerous organizations using MOVEit exploits, posing threats of data leaks.
The current concern revolves around CVE-2024-0204, a critical authentication bypass vulnerability, with the potential to follow in the footsteps of CVE-2023-0669. While no active exploitation has been reported yet, given its predecessor’s history and previous instances of file transfer product exploits, there is a looming threat that organizations should actively defend against.
AUTH BYPASS IN GOANYWHERE FIXED
The vulnerable versions include all 6.x versions of GoAnywhere, beginning with 6.0.1, and all 7.x versions preceding 7.4.1. The latter was released in December 2023, so those who promptly install updates are secure. Since the developer does not provide any mitigation (which is not feasible in this case), updating is the sole viable option to safeguard against CVE-2024-0204.
For non-container deployments, Fortra recommends removing the InitialAccountSetup.xhtml file in the installation directory and restarting the services as a mitigation for the vulnerability. In cases where GoAnywhere MFT is deployed in containers, Fortra suggests replacing the file with an empty counterpart and then restarting to effectively address the issue.