General

How does Holm Security support detection for GoAnywhere MFT (CVE-2024-0204)?

A Critical Security Flaw in GoAnywhere MFT Exposes Users to Unauthorized Admin Access GoAnywhere Managed File Transfer (MFT) software by Fortra, widely used for secure file transfers, faces a critical security flaw that puts users at risk. This flaw, CVE-2024-0204, allows unauthorized remote users to create admin accounts, potentially leading to a complete takeover of devices.

Vulnerability Overview

The vulnerability, with a high CVSS score of 9.8, arises from a path traversal weakness in the "/InitialAccountSetup.xhtml" endpoint, enabling the creation of administrative users and affects versions 6.x from 6.0.1 and 7.4.0 and earlier. This flaw was discovered and reported as early as  December 2023, but the company only publicly disclosed it in a recent advisory.

Impact & Exploitation

Creating admin accounts with this vulnerability could result in a full device takeover, including granting attackers access to sensitive data, injecting malware, and facilitating further network attacks. While there's no current evidence of active exploitation in the wild for CVE-2024-0204, the Horizon3.ai security team has recently published a PoC exploit for the vulnerability, which will likely facilitate threat actors to exploit unpatched instances. An indicator of compromise that can be easily analyzed is the presence of any new additions to the 'Admin users' group in the GoAnywhere administrator portal Users / Admin Users section.

Mitigations & Patches

Administrators are urged to upgrade to version 7.4.1. For those unable to apply the fix, temporary workarounds include deleting the "InitialAccountSetup.xhtml" file in the installation directory and restarting services. In container-deployed instances, the recommendation is to replace the file with an empty one and restart services.

Update 2024-01-24: New test added

Holm Security has released an authenticated vulnerability test that will verify if the version installed on the target systems is vulnerable to these flaws:

  • HID-2-1-5355472
    GoAnywhere MFT: Authentication Bypass Vulnerability (CVE-2024-001)

Update 2024-02-02: All tests added

Coverage completed for the vulnerability.

More information
You can read more about this vulnerability in our blog.