Patch Your GoAnywhere MFT Immediately - Critical Flaw Lets Anyone Be Admin

24.01.2024

A critical security vulnerability has been revealed in Fortra’s GoAnywhere Managed File Transfer (MFT) software, posing a significant risk with a CVSS score of 9.8 out of 10.

Identified as CVE-2024-0204, this flaw allows unauthorized users to exploit an authentication bypass in Fortra’s GoAnywhere MFT versions preceding 7.4.1, enabling them to create a new administrator user through the administration portal. Fortra issued an advisory on January 22, 2024, addressing the issue.

For users unable to upgrade to version 7.4.1, temporary solutions are available for non-container deployments. This involves deleting the “InitialAccountSetup.xhtml” file in the installation directory and restarting the services. In container-deployed instances, it is recommended to replace the file with an empty one and restart.

The security vulnerability was discovered and reported by Mohammed Eldeeb and Islam Elrfai from Spark Engineering Consultants in December 2023. Cybersecurity firm Horizon3.ai, which provided a proof-of-concept (PoC) exploit for CVE-2024-0204, highlighted that the flaw results from a path traversal weakness in the “/InitialAccountSetup.xhtml” endpoint, potentially exploited to create administrative users.

Zach Hanley, a security researcher at Horizon3.ai, emphasized monitoring the Admin Users group in the GoAnywhere administrator portal’s Users -> Admin Users section for any unexpected additions. While there is currently no evidence of active exploitation of CVE-2024-0204 in the wild, it’s worth noting that a previous flaw in the same product (CVE-2023-0669, CVSS score: 7.2) was exploited by the Cl0p ransomware group, compromising nearly 130 victims last year.