Fortra Discloses Critical Auth Bypass Vuln in GoAnywhere MFT

We Keep you Connected

Fortra Discloses Critical Auth Bypass Vuln in GoAnywhere MFT

PoC exploit code for flaw is publicly available, heightening breach risks for users of the managed file-transfer technology.
January 24, 2024
A proof-of-concept exploit is now available for a near maximum-severity flaw in Fortra's GoAnywhere Managed File Transfer (MFT) software that the company publicly disclosed on Jan. 23 after quietly informing customers about the threat almost seven weeks ago.
The release of the exploit means mass attacks targeting the flaw are almost certain to begin soon. According to telemetry that Tenable analyzed, less than 4% of GoAnywhere MFT assets appear to be fixed versions, meaning more than 96% are at significantly heightened risk of compromise.
Last year, the Cl0p ransomware group exploited a remote code injection bug in GoAnywhere (CVE-2023-0669) — initially as a zero-day — to deploy ransomware on systems belonging to more than 130 organizations, including Procter & Gamble, Hitachi Energy, the city of Toronto, Community Health Systems, and Hatch Bank.
The newly disclosed CVE-2024-0204 is an authentication bypass vulnerability that affects Fortra GoAnywhere MFT 6.x from 6.0.1 and Fortra GoAnywhere MFT 7.x before 7.4.1. The vulnerability allows an unauthenticated remote attacker to bypass typical authentication checks and create new user accounts, including those with administrator-level privileges. Fortra has assigned the vulnerability a severity score of 9.8, which is close to the maximum possible 10 on the CVSS severity scoring scale.
Fortra privately informed customers about the vulnerability on Dec. 7, 2023, and issued a patch for it, after two bug hunters reported the issue to the company. Following Fortra's disclosure of the bug on Jan. 23, researchers from published a proof-of-concept exploit for CVE-2024-0204 along with indicators of compromise (IoCs) and technical details of the bug. The exploit demonstrates how an attacker can abuse the vulnerability to add an administrative user on vulnerable instances of GoAnywhere MFT.
"The easiest indicator of compromise that can be analyzed is for any new additions to the Admin Users group in the GoAnywhere administrator portal Users -> Admin Users section," said. "If the attacker has left this user here you may be able to observe its last logon activity here to gauge an approximate date of compromise."
James Horseman, exploit developer at, described the new vulnerability as trivial to exploit. "An attacker can easily scan the Internet for instances of GoAnywhere MFT using Shodan or a similar tool," he says. "After that, any attacker can easily try the exploit to determine if the instance is vulnerable."
Thousands of organizations currently use GoAnywhere MFT to manage ad hoc and batch file transfers in what the company describes as a secure, fully encrypted, and auditable fashion. The company has described users of GoAnywhere as ranging from small organizations to Fortune 500 companies, nonprofits, and government agencies.
Managed file transfer technologies such as GoAnywhere are a treasure trove of information for attackers, says Scott Caveza, senior research engineer at Tenable, which has published a blog post on CVE-2024-0204. "[The products are] typically used by organizations as a quick and easy way to share information with customers, partners, and internal stakeholders," Caveza notes. "Sensitive information is likely to be found on these systems, making them a very attractive target."
The Cl0p ransomware group's attack on the GoAnywhere MFT flaw from 2023 (CVE-2023-0669) was one of the most visible manifestations of that interest. The attacks prompted the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI to include the vulnerability in a June 2023 advisory on the Cl0p ransomware threat.
Caveza says it was not just the Cl0p gang that targeted the flaw. "While the Cl0p ransomware variant gained the most attention and was widely used, we've seen reports from various third parties to suggest that BlackCat (ALPHV) and LockBit may have also exploited CVE-2023-0669 as well," he says. "It's likely these other groups began their exploitation after the vulnerability was publicly known."
Fortra's decision to delay public disclosure of the new bug by several weeks almost certainly stemmed from an effort to give customers an opportunity to patch the issue before attackers began jumping all over it. The company attracted some flak last year for the way it handled communications regarding CVE-2023-0669. In fact, it wasn't until cybersecurity news site Krebs on Security posted Fortra's advisory on the bug that most people even learned about the threat.
"We've observed vendors who have taken the approach of privately disclosing to their customers before making a public advisory, which has had mixed success," Caveza says. "On one hand, it gives your customers the chance to apply a patch or mitigation before details are public. On the other hand, the lack of transparency could affect public image."
It's a sentiment that Horseman shares. By delaying disclosure, an organization gives customers time to mitigate and prepare. "On the other hand, users may not feel the urgency to patch without the public disclosure," Horseman says. "Patching can disrupt business operations and requires pre-planning. By delaying public disclosure, vendors are withholding information from users that can be used when determining when to patch."
Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.
You May Also Like
Tips for Managing Cloud Security in a Hybrid Environment
Top Cloud Security Threats Targeting Enterprises
DevSecOps: The Smart Way to Shift Left
Making Sense of Security Operations Data
Your Everywhere Security Guide: 4 Steps to Stop Cyberattacks
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Cyber Resiliency 2023: How to Keep IT Operations Running, No Matter What
Passwords Are Passe: Next Gen Authentication Addresses Today’s Threats
The State of Supply Chain Threats
How to Deploy Zero Trust for Remote Workforce Security
What Ransomware Groups Look for in Enterprise Victims
How to Use Threat Intelligence to Mitigate Third-Party Risk
The OT Zero Trust Handbook: Implementing the 4 Cornerstones of OT Security
Buyer’s Guide: Choosing a True DevSecOps Solution for Your Apps on AWS
2023 Software Supply Chain Attack Report
Understanding AI Models to Future-Proof Your AppSec Program
Increase Speed and Accuracy with AI Driven Static Analysis Auditing
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Cyber Resiliency 2023: How to Keep IT Operations Running, No Matter What
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.