On January 22, 2024, Fortra publicly disclosed a critical vulnerability, CVE-2024-0204, in their GoAnywhere MFT product. This vulnerability, which was responsibly disclosed to Fortra by Spark Engineering Consultants, had been patched on December 7, 2023. CVE-2024-0204 is a severe authentication bypass vulnerability with a CVSS score of 9.8. The vulnerability allows unauthenticated attackers to bypass authentication mechanisms and create an admin user via the administration portal, which could then lead to remote code execution.
There is no evidence of active exploitation or a public PoC available at the time of disclosure. However, given that vulnerabilities in GoAnywhere MFT have been previously exploited by ransomware groups affiliated with CL0P, there is a significant risk that threat actors will attempt to reverse engineer exploit details from the patch published by Fortra. CVE-2023-0669, a separate remote code execution vulnerability, had been added to CISA Known Exploited Vulnerabilities Catalog as of early 2023.
Update (January 23, 2023): A proof-of-concept exploit is now available, with a detailed technical write-up published. Signs of active exploitation were first observed by Arctic Wolf on January 23, 2023.
Recommendations for CVE-2024-0204
Upgrade To a Fixed Version of GoAnywhere MFT
Arctic Wolf strongly recommends upgrading to the latest fixed version of GoAnywhere MFT as specified by Fortra. Please refer to the security advisory published by the vendor for detailed instructions.
|6.x from 6.0.1 onwards
7.x before 7.4.1
|7.4.1 or higher
Please follow your organization’s patching and testing guidelines to avoid any operational impact.
Delete or Replace InitialAccountSetup.xhtml
For those unable to immediately upgrade, Fortra has provided a workaround:
- For non-container deployments, delete the `InitialAccountSetup.xhtml` file in the installation directory and restart the services.
- For container-deployed instances, replace the file with an empty file and restart the services.