Critical Fortra GoAnywhere MFT auth bypass bug has an exploit released
An exploit code has been released for a serious authentication bypass vulnerability in the GoAnywhere MFT software by Fortra, which allows the creation of new admin users through the administration portal of unpatched instances.
GoAnywhere MFT is a web-based tool used for secure file transfers between organizations and for the tracking of file access.
The patch for the identified bug (CVE-2024-0204) was silently released by Fortra on December 7 with the GoAnywhere MFT version 7.4.1, but the company only disclosed this to the public today. The information was provided in an advisory with limited details, and more information was made available to their private customers.
Issues about the bug were privately disclosed to customers on December 4 by the company, advising them to take measures to safeguard their data by securing their MFT services.
Administrators who can’t immediately upgrade to the latest version, or haven’t done so yet, are advised to remove the attack vector by either deleting or replacing the InitialAccountSetup.xhtml file in the installation directory and restarting the services.
According to a statement from Fortra to BleepingComputer on Tuesday, no attacks exploiting this vulnerability have been reported.
After almost seven weeks, a technical analysis of the security flaw has been published by security researchers with Horizon3’s Attack Team. They have also released a proof-of-concept (PoC) exploit that can create new admin users on vulnerable GoAnywhere MFT instances exposed online.
The exploit is designed to take advantage of the path traversal issue that underlies CVE-2024-0204 to access the vulnerable /InitialAccountSetup.xhtml endpoint, accessing the initial account setup screen to create a new administrator account, which should not be available after the server’s setup process.
Moreover, Horizon3 has released a PoC exploit, indicating that it’s likely that threat actors will start scanning for and compromising all GoAnywhere MFT instances left unpatched.
The Clop ransomware gang is known for breaching over 100 organizations using a critical remote code execution flaw (CVE-2023-0669) in the GoAnywhere MFT software. The vulnerabilities were exploited in early 2023, and later emerged that it was used to breach secure file servers of Fortra’s customers.
The victims of the attacks include several large organizations like CHS, Procter & Gamble, Rubrik, Hitachi Energy, Hatch Bank, Saks Fifth Avenue, and the City of Toronto, Canada.
The Clop gang’s involvement in a data theft campaign from last year is part of a larger effort to target MFT platforms in recent years. This includes the exploitation of Accellion FTA servers in December 2020, SolarWinds Serv-U servers in 2021, and a series of attacks on MOVEit Transfer servers beginning in May 27, 2023.
Update January 23, 19:26 EST: Corrected start date for Clop’s MOVEit attacks.