Proof-of-concept exploit details are available for a newly disclosed critical vulnerability in Fortra GoAnywhere Managed File Transfer (MFT), a product historically targeted by ransomware

CVE-2024-0204: Fortra GoAnywhere MFT Authentication Bypass Vulnerability

Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.

Fortra GoAnywhere MFT is a Managed File Transfer (MFT) solution helping organizations build both internal and external data transfer exchanges. GoAnyWhere MFT versions 6.x from 6.0.1 and 7.x before 7.4.1 suffer from an authentication bypass vulnerability. By crafting a specific URL, a remote and unauthenticated attacker can access the wizard setup and create a new administrator account on the target GoAnywhere instance.

According to its self-reported version, the instance of Fortra GoAnywhere Managed File Transfer (MFT) running on the remote web server is < 7.4.1. It is, therefore, affected by an authentication bypass vulnerability. This can allow an unauthenticated attacker to create an admin user via the administration portal.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
114163	Fortra GoAnywhere MFT 6.x > 6.0.1 / 7.x < 7.4.1 Authentication Bypass	Web App Scanning	Component Vulnerability	critical
189377	Fortra GoAnywhere Managed File Transfer (MFT) < 7.4.1 Authentication Bypass (CVE-2024-0204)	Nessus	Misc.	critical
189373	Fortra GoAnywhere Managed File Transfer (MFT) < 7.4.1 Authentication Bypass (CVE-2024-0204)	Nessus	CGI abuses	critical

Detections

Analytics

CVE-2024-0204

critical

Tenable Plugins

critical

critical

critical