9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.6 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.968 High
EPSS
Percentile
99.7%
On January 22, 2024, Fortra published a security advisory on CVE-2024-0204, a critical authentication bypass affecting its GoAnywhere MFT secure managed file transfer product prior to version 7.4.1. The vulnerability is remotely exploitable and allows an unauthorized user to create an admin user via the administration portal. Fortra lists the root cause of CVE-2024-0204 as CWE-425: Forced Browsing , which is a weakness that occurs when a web application does not adequately enforce authorization on restricted URLs, scripts, or files.
Fortra evidently addressed this vulnerability in a December 7, 2023 release of GoAnywhere MFT, but it would appear they did not issue an advisory until now. According to a screenshot from Mohammed Eldeeb, the researcher who discovered the vulnerability, private communications went out to GoAnywhere MFT customers circa December 4. Fortra has since indicated to news outlets that CVE-2024-0204 was not exploited in the wild at time of disclosure.
In February 2023, a zero-day vulnerability (CVE-2023-0669) in GoAnywhere MFT was exploited in a large-scale extortion campaign conducted by the Cl0p ransomware group. Itβs unclear from Fortraβs initial advisory whether CVE-2024-0204 has been exploited in the wild, but we would expect the vulnerability to be targeted quickly if it has not come under attack already, particularly since the fix has been available to reverse engineer for more than a month. Rapid7 strongly advises GoAnywhere MFT customers to take emergency action.
CVE-2024-0204 affects the following versions of GoAnywhere MFT:
GoAnywhere MFT customers who have not already updated to a fixed version (7.4.1 or higher) should do so on an emergency basis, without waiting for a regular patch cycle to occur. Organizations should also ensure that administrative portals are not exposed to the public internet.
Per the vendor advisory, βthe vulnerability may also be eliminated in non-container deployments by deleting the InitialAccountSetup.xhtml
file in the install directory and restarting the services. For container-deployed instances, replace the file with an empty file and restart. For additional information, see <https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml> (registration required).β
If you are unable to update to a fixed version, Fortra has offered two manual mitigation pathways:
InitialAccountSetup.xhtml
file in the installation directory and restarting the services.InitialAccountSetup.xhtml
file with an empty file and restarting the services.InsightVM and Nexpose customers are able to assess their exposure to CVE-2024-0204 with an unauthenticated vulnerability check (vuln ID: goanywhere-cve-2024-0204
) available in the content update released on January 23 at 3:20pm ET.
January 23, 2024: Updated to note that the vulnerability appears to have been communicated to GoAnywhere MFT customers privately in early December. Mitigation guidance updated to reinforce that administrative portals should not be exposed to the public internet.
January 24, 2024: Updated to reflect that Fortra has indicated CVE-2024-0204 was not exploited in the wild at time of public disclosure.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.6 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.968 High
EPSS
Percentile
99.7%