Skip to main content
close search
site logo
Dive Brief

GoAnywhere MFT customers confront yet another critical file-transfer CVE

File-transfer services, including GoAnywhere, were widely exploited by ransomware threat groups in 2023.

Published Jan. 24, 2024
Matt Kapko's headshot
Senior Reporter
A series of yellow folders that depict lines of binary code running between them.
D3Damon via Getty Images

Dive Brief:

  • Fortra disclosed a critical authentication bypass vulnerability in GoAnywhere MFT with a CVSS score of 9.8 in a Monday security advisory. The company urged customers to upgrade the managed file-transfer service software or take mitigation steps to avoid potential compromise
  • The vulnerability, CVE-2024-0204, is remotely exploitable and allows an unauthorized user to create an admin user via the administration panel. Fortra released a patch for the vulnerability on Dec. 7, but didn’t publicly disclose until this week. 
  • “We aren't directly aware of any exploits targeting the flaw right now, but notably, Fortra's advisory doesn't specify whether CVE-2024-0204 has already been exploited in the wild or not,” said Caitlin Condon, director of vulnerability research and intelligence at Rapid7. Fortra did not respond to inquiries.

Dive Insight:

File-transfer services such as GoAnywhere, which is used by more than 3,000 organizations, are an opportunistic attack vector and were extensively targeted by threat actors in 2023. A zero-day vulnerability in GoAnywhere was widely exploited by the Clop ransomware group in early 2023.

By mid-spring, Clop set its sights on a zero-day vulnerability in Progress Software’s MOVEit file-transfer service and ultimately stole data from at least 2,700 organizations, exposing more than 93 million personal records.

“In both those 2023 attacks, adversaries used zero-day vulnerabilities to exfiltrate data from victim organizations,” Condon said. “Those attacks also underscored the risk of downstream collateral damage, since organizations that didn't use the vulnerable software directly could still have their data exposed by partners or vendors who did use affected file-transfer products.”

Threat hunters haven’t observed any active exploits of the latest critical vulnerability in GoAnywhere, but that could change since Horizon3.ai published a proof-of-concept exploit code on Tuesday.

Fortra urged customers to upgrade to GoAnywhere MFT version 7.4.1 or higher or follow mitigation steps in its advisory.

While the discovery and disclosure of new vulnerabilities in software is a normal part of security operations, the manner in which vendors address the issue and communicate with customers is important, Condon said.

“In this case, the advisory appears to have been published more than six weeks after a fix was released,” Condon said.

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell