On January 22, 2024, Fortra published a security advisory on CVE-2024-0204, a critical authentication bypass affecting its GoAnywhere MFT secure managed file transfer product prior to version 7.4.1. The vulnerability is remotely exploitable and allows an unauthorized user to create an admin user via the administration portal. Fortra lists the root cause of CVE-2024-0204 as CWE-425: Forced Browsing , which is a weakness that occurs when a web application does not adequately enforce authorization on restricted URLs, scripts, or files.
Fortra evidently addressed this vulnerability in a December 7, 2023 release of GoAnywhere MFT, but it would appear they did not issue an advisory until now. According to a screenshot from Mohammed Eldeeb, the researcher who discovered the vulnerability, private communications went out to GoAnywhere MFT customers circa December 4.
In February 2023, a zero-day vulnerability (CVE-2023-0669) in GoAnywhere MFT was exploited in a large-scale extortion campaign conducted by the Cl0p ransomware group. It’s unclear from Fortra’s initial advisory whether CVE-2024-0204 has been exploited in the wild, but we would expect the vulnerability to be targeted quickly if it has not come under attack already, particularly since the fix has been available to reverse engineer for more than a month. Rapid7 strongly advises GoAnywhere MFT customers to take emergency action.
