A critical security flaw has been disclosed in Fortra's GoAnywhere Managed File Transfer (MFT) software that could be abused to create a new administrator user.
Tracked as CVE-2024-0204, the issue carries a CVSS score of 9.8 out of 10.
"Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal," Fortra said in an advisory released on January 22, 2024.
Users who cannot upgrade to version 7.4.1 can apply temporary workarounds in non-container deployments by deleting the InitialAccountSetup.xhtml file in the install directory and restarting the services.
For container-deployed instances, it's recommended to replace the file with an empty file and restart.
Mohammed Eldeeb and Islam Elrfai of Cairo-based Spark Engineering Consultants have been credited with discovering and reporting the flaw in December 2023.
Cybersecurity firm Horizon3.ai, which published a proof-of-concept (PoC) exploit for CVE-2024-0204, said the issue is the result of a path traversal weakness in the "/InitialAccountSetup.xhtml" endpoint that could be exploited to create administrative users.
"The easiest indicator of compromise that can be analyzed is for any new additions to the Admin Users group in the GoAnywhere administrator portal Users -> Admin Users section," Horizon3.ai security researcher Zach Hanley said.
"If the attacker has left this user here you may be able to observe its last logon activity here to gauge an approximate date of compromise."
Data shared by Tenable shows that 96.4% of GoAnywhere MFT assets are using an affected version, while 3.6% are running a fixed version as of January 23, 2024, meaning a large number of the instances are at heightened risk of compromise.
While there is no evidence of active exploitation of CVE-2024-0204 in the wild, another flaw in the same product (CVE-2023-0669, CVSS score: 7.2) was abused by the Cl0p ransomware group to breach nearly 130 victims last year.
