Fortra Discloses Critical Auth Bypass Vuln in GoAnywhere MFT

PoC exploit code for flaw is publicly available, heightening breach risks for users of the managed file-transfer technology.

A proof-of-concept exploit is now available for a near maximum-severity flaw in Fortras GoAnywhere Managed File Transfer (MFT) software that the company publicly disclosed on Jan. 23 after quietly informing customers about the threat almost seven weeks ago.
The release of the exploit means mass attacks targeting the flaw are almost certain to begin soon. According to telemetry that Tenable analyzed, less than 4% of GoAnywhere MFT assets appear to be fixed versions, meaning more than 96% are at significantly heightened risk of compromise.
Last year, the Cl0p ransomware group exploited a remote code injection bug in GoAnywhere (CVE-2023-0669) — initially as a zero-day — to deploy ransomware on systems belonging to
more than 130 organizations
, including Procter & Gamble, Hitachi Energy, the city of Toronto, Community Health Systems, and Hatch Bank.
The newly disclosed
CVE-2024-0204
is an authentication bypass vulnerability that affects Fortra GoAnywhere MFT 6.x from 6.0.1 and Fortra GoAnywhere MFT 7.x before 7.4.1. The vulnerability allows an unauthenticated remote attacker to bypass typical authentication checks and create new user accounts, including those with administrator-level privileges. Fortra has assigned the vulnerability a severity score of 9.8, which is close to the maximum possible 10 on the CVSS severity scoring scale.
Fortra privately informed customers about the vulnerability on Dec. 7, 2023, and issued a patch for it, after two bug hunters reported the issue to the company. Following Fortras disclosure of the bug on Jan. 23, researchers from
Horizon3.ai published a proof-of-concept exploit
for CVE-2024-0204 along with indicators of compromise (IoCs) and technical details of the bug. The exploit demonstrates how an attacker can abuse the vulnerability to add an administrative user on vulnerable instances of GoAnywhere MFT.
The easiest indicator of compromise that can be analyzed is for any new additions to the Admin Users group in the GoAnywhere administrator portal Users -> Admin Users section, Horizon3.ai said. If the attacker has left this user here you may be able to observe its last logon activity here to gauge an approximate date of compromise.
James Horseman, exploit developer at Horizon3.ai, described the new vulnerability as trivial to exploit. An attacker can easily scan the Internet for instances of GoAnywhere MFT using Shodan or a similar tool, he says. After that, any attacker can easily try the exploit to determine if the instance is vulnerable.
Thousands of organizations currently use GoAnywhere MFT to manage ad hoc and batch file transfers in what the company describes as a secure, fully encrypted, and auditable fashion. The company has
described users of GoAnywhere
as ranging from small organizations to Fortune 500 companies, nonprofits, and government agencies.
Managed file transfer technologies such as GoAnywhere are a treasure trove of information for attackers, says Scott Caveza, senior research engineer at Tenable, which has
published a blog post
on CVE-2024-0204. [The products are] typically used by organizations as a quick and easy way to share information with customers, partners, and internal stakeholders, Caveza notes. Sensitive information is likely to be found on these systems, making them a very attractive target.
The Cl0p ransomware groups attack on the GoAnywhere MFT flaw from 2023 (CVE-2023-0669) was one of the
most visible manifestations
of that interest. The attacks prompted the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI to include the vulnerability in a
June 2023 advisory
on the Cl0p ransomware threat.
Caveza says it was not just the Cl0p gang that targeted the flaw. While the Cl0p ransomware variant gained the most attention and was widely used, weve seen reports from various third parties to suggest that BlackCat (ALPHV) and LockBit may have also exploited CVE-2023-0669 as well, he says. Its likely these other groups began their exploitation after the vulnerability was publicly known.
Fortras decision to delay public disclosure of the new bug by several weeks almost certainly stemmed from an effort to give customers an opportunity to patch the issue before attackers began jumping all over it. The company attracted some flak last year for the way it handled communications regarding CVE-2023-0669. In fact, it wasnt until cybersecurity news site Krebs on Security posted Fortras advisory on the bug that most people even learned about the threat.
Weve observed vendors who have taken the approach of privately disclosing to their customers before making a public advisory, which has had mixed success, Caveza says. On one hand, it gives your customers the chance to apply a patch or mitigation before details are public. On the other hand, the lack of transparency could affect public image.
Its a sentiment that Horseman shares. By delaying disclosure, an organization gives customers time to mitigate and prepare. On the other hand, users may not feel the urgency to patch without the public disclosure, Horseman says. Patching can disrupt business operations and requires pre-planning. By delaying public disclosure, vendors are withholding information from users that can be used when determining when to patch.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Fortra Discloses Critical Auth Bypass Vuln in GoAnywhere MFT