A significant security vulnerability has been identified in Fortra’s GoAnywhere Managed File Transfer (MFT) software, which could potentially be exploited to establish unauthorized administrator access. This flaw, designated as CVE-2024-0204, has been assigned a critical CVSS score of 9.8 out of 10, indicating its severity.
According to an advisory released by Fortra on January 22, 2024, an authentication bypass issue in versions prior to 7.4.1 allows unauthorized users to create administrative accounts via the software’s administrative portal.
For users unable to upgrade to version 7.4.1, Fortra suggests temporary mitigations for non-container deployments. This involves deleting the InitialAccountSetup.xhtml file from the installation directory and restarting system services. In container-based instances, replacing the file with an empty version is recommended, followed by a service restart.
The vulnerability was reported by Mohammed Eldeeb and Islam Elrfai from Cairo-based Spark Engineering Consultants in December 2023. Cybersecurity firm Horizon3.ai has developed a proof-of-concept exploit for CVE-2024-0204, which exploits a path traversal vulnerability within the “/InitialAccountSetup.xhtml” endpoint to create unauthorized administrative accounts.
As stated by Horizon3.ai security researcher Zach Hanley, a key indicator of unauthorized access could be observed through the GoAnywhere administrator portal, specifically by monitoring new entries in the Admin Users group. This provides a potential avenue for detecting compromised accounts.
While current assessments do not indicate any active exploitation of CVE-2024-0204, there remains a substantial concern given that 96.4% of GoAnywhere MFT installations are still on affected versions, leaving numerous systems vulnerable. This statistic, published by Tenable as of January 23, 2024, underscores the pressing need for businesses to prioritize updates to mitigate risk.
It is notable that the Cl0p ransomware group successfully exploited a previous vulnerability in the GoAnywhere software (CVE-2023-0669, CVSS score: 7.2) last year, leading to significant breaches across nearly 130 organizations. This historical context highlights the ongoing threats targeting the GoAnywhere platform and the necessity for robust security practices.
