Open Nav
Sign Up

Urgent Security Update: CVE-2024-0204 in Fortra GoAnywhere MFT – Critical Authentication Bypass Vulnerability

Bar Refael

January 25, 2024

Critical Security Alert: CVE-2024-0204, a severe vulnerability in Fortra’s GoAnywhere Managed File Transfer (MFT) software, enables unauthorized attackers to create administrative users, leading to potential full system compromise. This issue is particularly critical due to its potential impact on business operations, including data breaches and compliance risks.

Immediate Action Required: Organizations using the affected software must urgently apply the provided patch. Delaying this update could expose systems to unauthorized access, compromising data security and integrity. Continuous monitoring for any signs of exploitation is also essential.

Key Details

  • Product Affected: Fortra GoAnywhere MFT, a web-based file transfer tool.
  • Vulnerability Impact: Enables attackers to create administrative users, compromising the security of the MFT services.
  • Patch Release Date: December 7, 2023 (Release of GoAnywhere MFT 7.4.1).
  • Public Disclosure Date: Recently disclosed with limited details, following an earlier private customer advisory on December 4.

Exploit Mechanism:

  • Nature of Vulnerability: The critical vulnerability CVE-2024-0204 in Fortra’s GoAnywhere MFT is rooted in a path traversal issue. Path traversal, also known as directory traversal, is a security flaw that allows an attacker to access directories and files stored outside the web root folder.
  • Target Endpoint: The exploit specifically targets the /InitialAccountSetup.xhtml endpoint. This endpoint is typically used during the initial setup process of GoAnywhere MFT for creating administrative users.
  • Exploit Execution: By exploiting the path traversal vulnerability, attackers can illicitly access this setup page, even after the initial setup is completed. This unauthorized access bypasses normal authentication processes, allowing attackers to create new administrative users without proper credentials.

Vulnerability Disclosure Details:

  • Vulnerability Details: CVE-2024-0204 allows an unauthenticated attacker to create an administrative user in the GoAnywhere MFT application. This was disclosed by Fortra on January 22, 2024, although a patch was available since December 4, 2023.
  • Endpoint Vulnerability: The specific vulnerability involves the /InitialAccountSetup.xhtml endpoint. This endpoint can be deleted or modified as a mitigation step.

Technical Analysis:

  • The vulnerable endpoint is linked to the com.linoma.ga.ui.admin.users.InitialAccountSetupForm class.
  • Comparison between versions 7.4.0 and 7.4.1 of this file shows additional checks added in the latest version to prevent unauthorized access.
  • The com.linoma.dpa.security.SecurityFilter class plays a crucial role in request routing and authentication validation.

Exploitation Technique:

  • The exploit uses a path traversal issue, a common vulnerability in Tomcat-based applications.
  • By manipulating the URL (/..;/), the exploit bypasses the doFilter() method, allowing unauthorized access to the setup page to create a new administrative user.

Proof of Concept (PoC):

  • A PoC exploit has been made publicly available, increasing the risk of exploitation.

Implications and Recommendations:

  • Increased Exploitation Risk: The publication of a PoC increases the risk of exploitation, as it provides a practical blueprint for attackers to exploit this vulnerability.
  • Urgent Patching Required: Organizations using GoAnywhere MFT should apply the patch immediately to close this vulnerability.
  • Monitoring for Compromises: The key indicators of compromise include unauthorized additions to the Admin Users group and unusual log entries in the GoAnywhere database logs.
  • Awareness and Vigilance: This report underscores the need for continuous vigilance and regular updates in the cybersecurity landscape. Understanding the technical aspects of vulnerabilities helps in formulating more effective defense strategies.

Mitigation Strategies:

  • Recommended Patch: Upgrade to GoAnywhere MFT 7.4.1 immediately.
  • Alternative Mitigations:
  • Delete the InitialAccountSetup.xhtml file in the installation directory and restart services.
  • Replace the InitialAccountSetup.xhtml file with an empty file and restart services.
  • No Reports of Active Exploitation: As of the latest update, no attacks exploiting this vulnerability have been reported.

Broader Context and Historical Patterns:

  • Clop Ransomware Gang’s History: Provide specific examples or incidents where the Clop ransomware gang has exploited MFT vulnerabilities, indicating a pattern that organizations should be aware of for future threat preparedness.

Urgency and Overall Recommendations:

  • Recommended Actions: Consider breaking down the prioritized actions into a timeline or phases. For example, what should organizations do immediately upon reading the report, within the next week, and within the next month?

Indicators of Compromise:

  • Admin User Creation: This indicator is crucial because it directly relates to the exploitation of the vulnerability. If unauthorized admin users are added to the ‘Admin users’ group, it’s a clear sign that the system has been compromised. Monitoring this group for any unexpected additions allows organizations to promptly detect and respond to unauthorized access.
  • Log Analysis: Monitoring the last logon activities of newly created admin users is an excellent way to identify the timeframe of compromise. It helps organizations understand when unauthorized access occurred. This information is essential for investigating the extent of the breach and taking appropriate actions.

Urgency and Recommendations

  • Given the availability of a PoC exploit, the likelihood of imminent exploitation by threat actors is high.
  • Urgent Patching: Customers using GoAnywhere MFT should urgently update to the patched version or apply alternative mitigations.

The discovery and disclosure of CVE-2024-0204, coupled with the release of a PoC exploit, place a critical emphasis on immediate action by organizations using Fortra’s GoAnywhere MFT. Given the historical context of MFT platforms being targeted by ransomware groups, especially Clop, the risk of exploitation is significantly heightened.

Stay safe and informed,

OP Innovate

Resources highlights

Google Chrome Zero-Day Under Exploitation (CVE-2026-2441)

CVE-2026-2441 is a high-severity use-after-free vulnerability in Google Chrome that is actively exploited in the wild. This marks the first Chrome zero-day patched in 2026.…

Read more >

CVE-2026-2441

Actively Exploited BeyondTrust RCE (CVE-2026-1731)

CVE-2026-1731 is a critical remote code execution (RCE) vulnerability affecting BeyondTrust Remote Support and Privileged Remote Access solutions. The flaw is actively exploited in the…

Read more >

CVE-2026-1731

WPvivid Backup & Migration Critical RCE (CVE-2026-1357)

A critical vulnerability tracked as CVE-2026-1357 (CVSS 9.8) affects the WPvivid Backup & Migration WordPress plugin and can allow unauthenticated arbitrary file upload leading to…

Read more >

CVE-2026-1357

Malicious “AI Assistant” Chrome Extensions Stealing Credentials and Email Data

A malicious browser extension campaign dubbed AiFrame has been identified distributing fake AI assistant tools through the Chrome Web Store. At least 30 malicious extensions,…

Read more >

chrome extensions

CVE-2026-21509: Actively Exploited Microsoft Office Security Bypass

CVE-2026-21509 is a zero-day security feature bypass vulnerability in Microsoft Office that has been confirmed as actively exploited in the wild. The flaw allows adversaries…

Read more >

cve-2026-21509

Guidance to Address Ongoing Exploitation of Fortinet SSO Vulnerability (CVE-2026-24858)

CVE-2026-24858 is a critical authentication bypass in FortiCloud Single Sign-On (SSO) that can allow an attacker with a FortiCloud account and a registered device to…

Read more >

cve-2026-24858
Under Cyber Attack?

Fill out the form and we will contact you immediately.