Flash Notice: Critical Vulnerability Found in Fortra’s GoAnywhere MFT Software

overview

A critical vulnerability (CVE-2024-0204) was found in Fortra’s GoAnywhere Managed File Transfer (MFT) software. CVE-2024-0204 has a CVSS score of 9.8 and allows an unauthorized user to create a new administrator account through the administration portal. This authentication bypass vulnerability is present in GoAnywhere MFT versions 7.4.0 and below, as well as 6.0.1 and above. 

Despite researchers discovering the vulnerability in December 2023, it has only been recently that the cybersecurity firm Horizon3.ai released a proof-of-concept (PoC). With the PoC now available, researchers expect threat actors to exploit the vulnerability in the very near future.   

Please be aware that secure file transfer tools, such as GoAnywhere MFT, are attractive targets for threat actors due to the sensitive enterprise data they handle. Fortra's GoAnywhere MFT was previously targeted by Cl0p ransomware in February 2023, and this vulnerability follows a pattern of file transfer solutions being exploited by other malicious actors. Avertium urges all affected users to apply the available patch immediately to protect their systems against potential exploitation. 

avertium's recommendationS

• For immediate mitigation, users are strongly advised to upgrade to GoAnywhere MFT version 7.4.1.  
• In cases where immediate upgrade is not possible, temporary workarounds are available for both non-container and container deployments.  
  • For non-container deployments, delete the "InitialAccountSetup.xhtml" file in the install directory and restart the services.  
  • For container-deployed instances, it is recommended to replace the file with an empty file and restart. 
  • For more information regarding CVE-2024-0204, please see Fortra’s advisory.  

INDICATORS OF COMPROMISE (IoCs)

• Researchers recommend monitoring for any new additions to the Admin Users group in the GoAnywhere administrator portal under the Users -> Admin Users section. This could serve as an indicator that the vulnerability has been exploited, as unauthorized administrative users may have been created. 
• At this time, there are no other IoCs associated with CVE-2024-0204. Avertium remains vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.   

How Avertium is Protecting Our CUSTOMERS

• Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills. See every threat in your attack surface, every device, every entry point, and every vulnerability. Our Attack Surface Management services include:  
  • Risk Assessments 
  • Pen Testing and Social Engineering  
  • Infrastructure Architecture and Integration  
  • Zero Trust Network Architecture 
  • Vulnerability Management 
• Minimizing the impact of a successful ransomware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior.
• We highly value your feedback. Kindly spare a moment to complete our feedback form, allowing us to enhance our services for our valued customers. 

SUPPORTING DOCUMENTATION