CVE-2024-0204 (CVSS 9.8): Critical Authentication Bypass Flaw in GoAnywhere MFT

CVE-2024-0204

GoAnywhere MFT is a secure managed file transfer (MFT) solution that helps organizations automate, centralize, and secure their file transfers. It’s a software platform that removes the hassle of moving data between different systems and people. GoAnywhere MFT is a powerful and versatile solution for organizations that need to secure and manage their file transfers effectively. A recent developer of this file transfer solution alert unveils a critical flaw that threatens to bypass the very essence of authentication.

Tracked as CVE-2024-0204 and a CVSS score of 9.8, this flaw is described as an authentication bypass vulnerability in Fortra’s GoAnywhere MFT before version 7.4.1. This flaw cunningly allows unauthorized users to masquerade as administrators through the administration portal.

“Authentication bypass in Fortra’s GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal,” warns the GoAnywhere security advisory.

Security researchers Mohammed Eldeeb & Islam Elrfai, Spark Engineering Consultants have been credited for reporting this flaw.

CVE-2024-0204 affects the following version:

  • Fortra GoAnywhere MFT 6.x from version 6.0.1
  • Fortra GoAnywhere MFT 7.x up to but not including version 7.4.1

In response to this alarming vulnerability, developers have charted a remediation course – an immediate upgrade to version 7.4.1 or higher.

For those with non-container deployments, an additional defensive measure involves the deletion of the InitialAccountSetup.xhtml file in the installation directory, followed by a restart of the services. In container-deployed instances, replacing this file with an empty file and restarting the services can mitigate the risk. Further guidance and details can be accessed through GoAnywhere’s dedicated security advisories page, albeit with a registration requirement.

Update: 

On January 24, a security researcher published a proof-of-concept (PoC) code targeting a recently patched critical CVE-2024-0204 vulnerability in the Fortra GoAnywhere MFT.