Exploit Released for Critical Authentication Bypass Vulnerability in Fortra’s GoAnywhere MFT

By [Author Name] | Date

Exploit code is now available for a critical authentication bypass vulnerability in Fortra’s GoAnywhere MFT (Managed File Transfer) software that allows attackers to create new admin users on unpatched instances via the administration portal.

GoAnywhere MFT is a web-based managed file transfer tool that helps organizations transfer files securely with partners and keep audit logs of who accessed all shared files.

While Fortra silently patched the bug (CVE-2024-0204) on December 7 with the release of GoAnywhere MFT 7.4.1, the company only publicly disclosed it today in an advisory offering limited information (more details are available in a private customer advisory).

However, Fortra also issued private advisories to customers on December 4 before fixing the flaw, urging them to secure their MFT services to keep their data safe.

Admins who haven’t yet and can’t immediately upgrade to the last version are advised to remove the attack vector by:

• Deleting the InitialAccountSetup.xhtml file in the installation directory and restarting the services.
• Replacing the InitialAccountSetup.xhtml file with an empty file and restarting the services.

The company told BleepingComputer on Tuesday that there have been no reports of attacks exploiting this vulnerability.

Today, almost seven weeks later, security researchers with Horizon3’s Attack Team published a technical analysis of the vulnerability and shared a proof-of-concept (PoC) exploit that helps create new admin users on vulnerable GoAnywhere MFT instances exposed online.

Their exploit takes advantage of the path traversal issue at the root of CVE-2024-0204 to access the vulnerable /InitialAccountSetup.xhtml endpoint and start the initiation of unauthorized admin users.