Zero-Day Alert: Fortra’s GoAnywhere MFT Compromised
This critical flaw, rated 9.8/10 on the Common Vulnerability Scoring System (CVSS) scale, enables unauthorized users to sneak in as administrators
A recent zero-day vulnerability in Fortra’s GoAnywhere Managed File Transfer (MFT) software has surfaced, posing a severe security risk.
Identified as CVE-2024–0204, this vulnerability has sent a wave of concern across the cybersecurity community due to its high potential for exploitation.
Let’s dissect this vulnerability.
Understanding CVE-2024–0204
CVE-2024–0204 manifests as an authentication bypass in versions of GoAnywhere MFT prior to 7.4.1.
Essentially, it allows an unauthorized individual to create an admin user via the administration portal. This is particularly alarming because of the level of access and control an admin account holds.
Fortra issued an advisory on January 22, 2024, describing the problem and providing mitigation steps.
They advise users who cannot immediately upgrade to the patched version 7.4.1 to delete or replace the InitialAccountSetup.xhtml file in their installation directory and restart their services.
Technical Dive into the Flaw
The heart of this issue lies in a path traversal weakness in the /InitialAccountSetup.xhtml endpoint.
Path traversal vulnerabilities occur when software fails to properly sanitize input, allowing attackers to access or manipulate files outside of the intended directory.
In this case, the flaw could be exploited to create administrative users.
A detailed technical explanation of this vulnerability, including proof-of-concept (PoC) code, is available on GitHub, provided by Horizon3.ai.
This repository offers valuable insights into how the vulnerability can be exploited, making it a crucial resource for both security professionals and concerned users.
Identifying and Mitigating Risk
How do you know if you’ve been compromised?
Horizon3.ai’s security researcher, Zach Hanley, suggests monitoring for new additions to the Admin Users group in the GoAnywhere administrator portal (Users -> Admin Users section).
Observing the last logon activity of these users can give an indication of any potential breach.
While there’s no current evidence of active exploitation of CVE-2024–0204, it’s worth noting that a different flaw in the same product (CVE-2023–0669) was previously exploited by the Cl0p ransomware group, affecting numerous victims.
This historical context underscores the importance of proactive security measures.
Conclusion: Stay Vigilant, Stay Protected
Staying updated with software patches, understanding the technicalities of vulnerabilities, and implementing robust security protocols are essential steps in safeguarding your digital assets.
Enjoyed the read? For more on Web Development, JavaScript, Next.js, Cybersecurity, and Blockchain, check out my other articles here:
If you have questions or feedback, don’t hesitate to reach out at caleb.pro@pm.me or in the comments section.
[Disclosure: Every article I pen is a fusion of my ideas and the supportive capabilities of artificial intelligence. While AI assists in refining and elaborating, the core thoughts and concepts stem from my perspective and knowledge. To know more about my creative process, read this article.]
