GoAnywhere MFT: Critical vulnerability allows anyone to act as admin
Identified as CVE-2024-0204 with a CVSS score of 9.8, the flaw allows an attacker to bypass authentication in GoAnywhere MFT versions prior to 7.4.1 through the administration portal. Fortra released an advisory on January 22, 2024, suggesting users upgrade to version 7.4.1. For those unable to upgrade immediately, temporary workarounds involve deleting the InitialAccountSetup.xhtml file and restarting services in non-container deployments or replacing the file with an empty one in container-deployed instances.
The vulnerability, discovered by Mohammed Eldeeb and Islam Elrfai of Spark Engineering Consultants in December 2023, results from a path traversal weakness in the “/InitialAccountSetup.xhtml” endpoint. Horizon3.ai, a cybersecurity firm, provided a proof-of-concept (PoC) exploit for CVE-2024-0204, emphasizing the potential creation of administrative users. Zach Hanley, a security researcher at Horizon3.ai, noted that monitoring additions to the Admin Users group in the GoAnywhere administrator portal can serve as an indicator of compromise, with attention to last logon activity helping estimate the date of compromise.
Although there is no current evidence of active exploitation in the wild for CVE-2024-0204, it’s noteworthy that a previous flaw in the same product (CVE-2023-0669, CVSS score: 7.2) was exploited by the Cl0p ransomware group, affecting nearly 130 victims the previous year.