- Fortra disclosed a critical authentication bypass vulnerability in GoAnywhere MFT with a CVSS score of 9.8 in a Monday security advisory. The company urged customers to upgrade the managed file-transfer service software or take mitigation steps to avoid potential compromise
- The vulnerability, CVE-2024-0204, is remotely exploitable and allows an unauthorized user to create an admin user via the administration panel. Fortra released a patch for the vulnerability on Dec. 7, but didn’t publicly disclose until this week.
- “We aren't directly aware of any exploits targeting the flaw right now, but notably, Fortra's advisory doesn't specify whether CVE-2024-0204 has already been exploited in the wild or not,” said Caitlin Condon, director of vulnerability research and intelligence at Rapid7. Fortra did not respond to inquiries.
File-transfer services such as GoAnywhere, which is used by more than 3,000 organizations, are an opportunistic attack vector and were extensively targeted by threat actors in 2023. A zero-day vulnerability in GoAnywhere was widely exploited by the Clop ransomware group in early 2023.
By mid-spring, Clop set its sights on a zero-day vulnerability in Progress Software’s MOVEit file-transfer service and ultimately stole data from at least 2,700 organizations, exposing more than 93 million personal records.
“In both those 2023 attacks, adversaries used zero-day vulnerabilities to exfiltrate data from victim organizations,” Condon said. “Those attacks also underscored the risk of downstream collateral damage, since organizations that didn't use the vulnerable software directly could still have their data exposed by partners or vendors who did use affected file-transfer products.”
Threat hunters haven’t observed any active exploits of the latest critical vulnerability in GoAnywhere, but that could change since Horizon3.ai published a proof-of-concept exploit code on Tuesday.
Fortra urged customers to upgrade to GoAnywhere MFT version 7.4.1 or higher or follow mitigation steps in its advisory.
While the discovery and disclosure of new vulnerabilities in software is a normal part of security operations, the manner in which vendors address the issue and communicate with customers is important, Condon said.
“In this case, the advisory appears to have been published more than six weeks after a fix was released,” Condon said.