Skip to content Skip to footer

CVE-2024-0204: Critical Authentication Bypass in Fortra GoAnywhere MFT

On January 22, 2024, Fortra issued a security advisory regarding a critical authentication bypass, -2024-0204. This affects the GoAnywhere MFT secure managed file transfer product, which is vulnerable to unauthorized access by a remote attacker, allowing them to create an admin user via the administration portal. The affected versions of GoAnywhere MFT include Fortra GoAnywhere MFT 6.x from 6.0.1 to 7.x before 7.4.1. The root cause of -2024-0204 is “Forced Browsing,” a weakness that occurs when a application does not adequately enforce authorization on restricted URLs, scripts, or files. Fortra has addressed this in the release of GoAnywhere MFT on December 7, 2023, but failed to issue an advisory until January 2024. Although Fortra indicated that the was not exploited in the wild at the time of disclosure, Rapid7 advises GoAnywhere MFT customers to take emergency action. From the initial advisory, it is unclear if -2024-0204 has been exploited in the wild. Still, it is expected to become a target of attack quickly, mainly since the fix has been available for over a month. To mitigate the , GoAnywhere MFT customers who have not updated to a fixed version (7.4.1 or higher) should do so on an emergency basis without waiting for a regular patch cycle to occur. It is also recommended that administrative portals are not exposed to the public internet. For non-container deployments, the can be eliminated by deleting the InitialAccountSetup.xhtml file in the installation directory and restarting the services. For container-deployed instances, replace the file with an empty file and restart. Fortra has also offered two manual mitigation pathways for those unable to update to a fixed version.

Leave a comment

Newsletter Signup

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

Denial is the most predictable of all human responsesThe Architect

Deitasoft © 2024. All Rights Reserved.