CVE-2024-0204

critical

Description

Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.

From the Tenable Blog

CVE-2024-0204: Fortra GoAnywhere MFT Authentication Bypass Vulnerability

Published: 2024-01-24

Proof-of-concept exploit details are available for a newly disclosed critical vulnerability in Fortra GoAnywhere Managed File Transfer (MFT), a product historically targeted by ransomware

References

https://www.scworld.com/news/fortra-filecatalyst-rce-bug-disclosed-full-poc-exploit-available

https://www.tenable.com/blog/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-vulnerability

https://www.fortra.com/security/advisory/fi-2024-001

https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml

http://packetstormsecurity.com/files/176974/Fortra-GoAnywhere-MFT-Unauthenticated-Remote-Code-Execution.html

http://packetstormsecurity.com/files/176683/GoAnywhere-MFT-Authentication-Bypass.html

Details

Source: Mitre, NVD

Published: 2024-01-22

Updated: 2024-02-02

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H