Last updated at Tue, 27 Feb 2024 17:15:15 GMT

On January 22, 2024, Fortra published a security advisory on CVE-2024-0204, a critical authentication bypass affecting its GoAnywhere MFT secure managed file transfer product prior to version 7.4.1. The vulnerability is remotely exploitable and allows an unauthorized user to create an admin user via the administration portal. Fortra lists the root cause of CVE-2024-0204 as CWE-425: Forced Browsing , which is a weakness that occurs when a web application does not adequately enforce authorization on restricted URLs, scripts, or files.

Fortra evidently addressed this vulnerability in a December 7, 2023 release of GoAnywhere MFT, but it would appear they did not issue an advisory until now. According to a screenshot from Mohammed Eldeeb, the researcher who discovered the vulnerability, private communications went out to GoAnywhere MFT customers circa December 4. Fortra has since indicated to news outlets that CVE-2024-0204 was not exploited in the wild at time of disclosure.

In February 2023, a zero-day vulnerability (CVE-2023-0669) in GoAnywhere MFT was exploited in a large-scale extortion campaign conducted by the Cl0p ransomware group. It’s unclear from Fortra’s initial advisory whether CVE-2024-0204 has been exploited in the wild, but we would expect the vulnerability to be targeted quickly if it has not come under attack already, particularly since the fix has been available to reverse engineer for more than a month. Rapid7 strongly advises GoAnywhere MFT customers to take emergency action.

Mitigation guidance

CVE-2024-0204 affects the following versions of GoAnywhere MFT:

  • Fortra GoAnywhere MFT 6.x from 6.0.1
  • Fortra GoAnywhere MFT 7.x before 7.4.1

GoAnywhere MFT customers who have not already updated to a fixed version (7.4.1 or higher) should do so on an emergency basis, without waiting for a regular patch cycle to occur. Organizations should also ensure that administrative portals are not exposed to the public internet.

Per the vendor advisory, “the vulnerability may also be eliminated in non-container deployments by deleting the InitialAccountSetup.xhtml file in the install directory and restarting the services. For container-deployed instances, replace the file with an empty file and restart. For additional information, see https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml (registration required).”

If you are unable to update to a fixed version, Fortra has offered two manual mitigation pathways:

  • Deleting the InitialAccountSetup.xhtml file in the installation directory and restarting the services.
  • Replacing the InitialAccountSetup.xhtml file with an empty file and restarting the services.

Rapid7 customers

InsightVM and Nexpose customers are able to assess their exposure to CVE-2024-0204 with an unauthenticated vulnerability check (vuln ID: goanywhere-cve-2024-0204) available in the content update released on January 23 at 3:20pm ET.

Updates

January 23, 2024: Updated to note that the vulnerability appears to have been communicated to GoAnywhere MFT customers privately in early December. Mitigation guidance updated to reinforce that administrative portals should not be exposed to the public internet.

January 24, 2024: Updated to reflect that Fortra has indicated CVE-2024-0204 was not exploited in the wild at time of public disclosure.