Security Advisory – Critical Authentication Bypass in Fortra’s GoAnywhere MFT Identified (CVE-2024-0204)

Fortra recently published a security advisory detailing a critical vulnerability in its GoAnywhere Managed File Transfer (MFT) software. The advisory, identified as FI-2024-001, addresses an authentication bypass issue that could allow unauthorized users to create admin users through the administration portal. This vulnerability, tracked as CVE-2024-0204, impacts Fortra GoAnywhere MFT versions 6.x from 6.0.1 and 7.x before 7.4.1. It was discovered by Mohammed Eldeeb & Islam Elrfai from Spark Engineering Consultants.

The vulnerability has been categorized as a Critical severity issue with a CVSSv3.1 score of 9.8, indicating a high level of risk. The technical classification of the vulnerability is CWE-425, Direct Request (‘Forced Browsing’). Fortra has released a fix for this issue, advising users to upgrade to GoAnywhere MFT version 7.4.1 or higher. For non-container deployments, an alternative remediation involves deleting the InitialAccountSetup.xhtml file and restarting services. In container-deployed instances, replacing the file with an empty one and restarting is recommended.

For additional details and guidance, users can refer to Fortra’s customer advisory, which requires registration for access.

Source: Fortra Security Advisory