Dive Brief:
- Nearly 800 instances of Forta’s GoAnywhere MFT remain unpatched and potentially exposed to a critical vulnerability disclosed earlier this week, according to Shadowserver data published Friday.
- While many instances of the file-transfer service remain unpatched, less than 30 are vulnerable to exploits due to admin panel exposure on the public internet, Shadowserver said. Remote access to the administration panel is required for threat actors to exploit the critical authentication bypass vulnerability, CVE-2024-0204.
- Forta released a patch for the vulnerability on Dec. 7, but didn’t publicly disclose the vulnerability with a CVSS score of 9.8 until this week.
Dive Insight:
GoAnywhere is used by more than 3,000 organizations, but active exploits and widespread exposure from the latest CVE in the file-transfer service have yet to materialize.
The critical vulnerability quickly caught the attention of threat hunters and defenders, as multiple file-transfer services including GoAnywhere were broadly targeted in 2023. A zero-day vulnerability in GoAnywhere was widely exploited by the Clop ransomware group in early 2023.
Censys on Wednesday observed nearly 170 hosts with publicly exposed GoAnywhere admin interfaces, but said it’s unclear how many are vulnerable to exploits.
“Although this isn’t the most extensive level of exposure we’ve encountered, it does raise concerns given the nature of the data stored in these instances,” Himaja Motheram, security researcher at Censys, said in a blog post. “The relatively small number of hosts belies the potential damage that could occur with just one compromise.”
The majority of GoAnywhere MFT admin interfaces running on default port settings are hosted in the U.S., according to Censys. More than 3 in 5 of those publicly exposed instances are hosted on cloud networks operated by Amazon, Microsoft and Google.
“We expect to see a rise in scanning and compromise of exposed unpatched GoAnywhere MFT instances,” Motheram said. “Patching immediately is crucial.”