On January 22, 2024, Fortra published a security advisory on CVE-2024-0204, a critical authentication bypass affecting its GoAnywhere MFT secure managed file transfer product prior to version 7.4.1.

On January 22, 2024, Fortra published a security advisory on CVE-2024-0204, a critical authentication bypass affecting its GoAnywhere MFT secure managed file transfer product prior to version 7.4.1. The vulnerability is remotely exploitable and allows an unauthenticated user to create an admin user via the administration portal.

Fortra evidently addressed this vulnerability in a December 7, 2023 release of GoAnywhere MFT, but it would appear they did not issue an advisory until now.

In February 2023, a zero-day vulnerability (CVE-2023-0669) in GoAnywhere MFT was exploited in a large-scale extortion campaign conducted by the Cl0p ransomware group. It’s unclear from Fortra’s initial advisory whether CVE-2024-0204 has been exploited in the wild, but we would expect the vulnerability to be targeted quickly if it has not come under attack already, particularly since the fix has been available to reverse engineer for more than a month. Rapid7 strongly advises GoAnywhere MFT customers to take emergency action.

Mitigation guidance

CVE-2024-0204 affects the following versions of GoAnywhere MFT:

• Fortra GoAnywhere MFT 6.x from 6.0.1


• Fortra GoAnywhere MFT 7.x before 7.4.1

GoAnywhere MFT customers who have not already updated to a fixed version (7.4.1 or higher) should do so on an emergency basis, without waiting for a regular patch cycle to occur.

Per the vendor advisory, “the vulnerability may also be eliminated in non-container deployments by deleting the InitialAccountSetup.xhtml file in the install directory and restarting the services. For container-deployed instances, replace the file with an empty file and restart. For additional information, see https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml (registration required).”

If you are unable to update to a fixed version, Fortra has offered two manual mitigation pathways:

• Deleting the InitialAccountSetup.xhtml file in the installation directory and restarting the services.


• Replacing the InitialAccountSetup.xhtml file with an empty file and restarting the services.

Rapid7 customers

InsightVM and Nexpose customers will be able to assess their exposure to CVE-2024-0204 with an unauthenticated vulnerability check expected to be available in today’s (January 23) content release.

Source: Rapid7
Source Link: https://blog.rapid7.com/2024/01/23/etr-cve-2024-0204-critical-authentication-bypass-in-fortra-goanywhere-mft/