Critical Security Flaw in GoAnywhere MFT: Users Exposed to Unauthorized Admin Access

Understanding CVE-2024-0204

This vulnerability, with a high CVSS score of 9.8, arises from a path traversal weakness in the "/InitialAccountSetup.xhtml" endpoint, enabling the creation of administrative users. It affects versions 6.x from 6.0.1 and 7.4.0 and earlier. This flaw was discovered and first reported as early as December 2023 but the company only publicly disclosed it in a recent advisory.

Exploitation & Impact

Creating admin accounts using this vulnerability could result in a full device takeover by cybercriminals, granting such cybercriminals access to sensitive data, the ability to inject malware, and the opportunity to facilitate further network attacks. While there's no current evidence of active exploitation in the wild for CVE-2024-0204, the Horizon3.ai security team has recently published a Proof of Concept (PoC) exploit for the vulnerability, which will likely facilitate threat actors exploiting unpatched instances. One indicator of compromise is the presence of any new additions to the 'Admin users' group in the GoAnywhere administrator portal Users / Admin Users section.

Patch & Mitigation

Fortra urges administrators to upgrade to version 7.4.1. For those unable to apply the fix, temporary workarounds include deleting the "InitialAccountSetup.xhtml" file in the installation directory and restarting services. In container-deployed instances, the recommendation is to replace the file with an empty one and restart services.

Holm Security Vulnerability Management Platform

Holm Security has released an authenticated Vulnerability Test that will verify if the version installed on the target systems is vulnerable to these flaws:

- HID-2-1-5355472 GoAnywhere MFT: Authentication Bypass Vulnerability (fi-2024-001)

For latest information, please refer to this help desk article.