CVE-2024-0204: Critical Authentication Bypass in Fortra’s GoAnywhere MFT

Share :

On 22 January 2024, Fortra publicly disclosed a critical vulnerability, CVE-2024-0204, in their GoAnywhere MFT product. This vulnerability, which was responsibly disclosed to Fortra by Spark Engineering Consultants, had been patched on 7 December 2023. CVE-2024-0204 is a severe authentication bypass vulnerability with a CVSS score of 9.8. The vulnerability allows unauthenticated attackers to bypass authentication mechanisms and create an admin user via the administration portal, which could then lead to remote code execution. 

There is no evidence of active exploitation or a public PoC available at the time of disclosure. However, given that vulnerabilities in GoAnywhere MFT have been previously exploited by ransomware groups affiliated with CL0P, there is a significant risk that threat actors will attempt to reverse engineer exploit details from the patch published by Fortra. CVE-2023-0669, a separate remote code execution vulnerability, had been added to CISA Known Exploited Vulnerabilities Catalog as of early 2023. 

Update (23 January 2023): A proof-of-concept exploit is now available, with a detailed technical write-up published. Signs of active exploitation were first observed by Arctic Wolf on January 23, 2023. 

Recommendations for CVE-2024-0204

Upgrade To a Fixed Version of GoAnywhere MFT 

Arctic Wolf strongly recommends upgrading to the latest fixed version of GoAnywhere MFT as specified by Fortra. Please refer to the security advisory published by the vendor for detailed instructions. 

Affected Product  Affected Versions  Fixed Versions 
GoAnywhere MFT  6.x from 6.0.1 onwards 

7.x before 7.4.1 

7.4.1 or higher 

 

Please follow your organisation’s patching and testing guidelines to avoid any operational impact. 

Workarounds 

Delete or Replace InitialAccountSetup.xhtml 

For those unable to immediately upgrade, Fortra has provided a workaround: 

  • For non-container deployments, delete the `InitialAccountSetup.xhtml` file in the installation directory and restart the services. 
  • For container-deployed instances, replace the file with an empty file and restart the services. 

References 

Stefan Hostetler

Stefan Hostetler

Stefan is a Senior Threat Intelligence Researcher at Arctic Wolf. With over a decade of industry experience under his belt, he focuses on extracting actionable insight from novel threats to help organizations protect themselves effectively.
Share :
Table of Contents
Categories