PoC for easily exploitable Fortra GoAnywhere MFT vulnerability released (CVE-2024-0204)

Proof-of-concept (PoC) exploit code for a critical vulnerability (CVE-2024-0204) in Fortra’s GoAnywhere MFT solution has been made public, sparking fears that attackers may soon take advantage of it.

Fortra’s GoAnywhere MFT is a web-based managed file transfer solution widely used by organizations of all sizes.

In early 2023, the Cl0P ransomware gang exploited a zero-day vulnerability (CVE-2023-0669) in the same solution to exfiltrate data of 130+ victim organizations, and followed up with threats to publish it if they didn’t get paid not to.

About CVE-2024-0204

CVE-2024-0204 is an authentication bypass vulnerability: it allows an unauthorized user to create an admin user via the solution’s administration portal.

It affects Fortra GoAnywhere MFT versions 6.x from 6.0.1 and versions 7.x before 7.4.1.

It has been fixed in version 7.4.1, which was released on December 7, 2023, with release notes that simply stated that “an authentication bypass issue allowing invalid access to create new users” had been fixed.

CVE-2024-0204 was privately reported by Mohammed Eldeeb and Islam Elrfai of Spark Engineering Consultants in early December 2023, and Fortra’s GoAnywhere MFT customers got an advance warning with instructions on how to remediate the vulnerability.

“[The vulnerability] is particularly risky for any customers who are running an admin portal exposed to the public internet which is not a recommended configuration,” the company noted.

On Monday, January 22, Fortra finally released a publicly accessible security advisory documenting the existence of the vulnerability, now officially identified via a CVE number.

The advisory urged customers to upgrade their self-hosted installations to version 7.4.1 or higher. “The vulnerability may also be eliminated in non-container deployments by deleting the InitialAccountSetup.xhtml file in the install directory and restarting the services. For container-deployed instances, replace the file with an empty file and restart,” they added.

A PoC for CVE-2024-0204 is available

On Tuesday (January 23), Horizon3.ai researchers published a technical analysis of the vulnerability and a PoC script that exploits CVE-2024-0204 to add an administrative user to a vulnerable Fortra GoAnywhere MFT installation.

Forta’s advisory does not say anything about the vulnerability being leveraged in attacks in the wild, but with all this knowledge now public, we can expect attackers to get on it quickly.

Also, as security researcher Kevin Beaumont noted, the vulnerability is incredibly easy to exploit. “Expect extortion,” he forewarned.

The Shodan search engine currently sees 1,800+ internet-exposed Fortra GoAnywhere MFT admin portals.

While the hope is that affected customers have already upgraded their installations, organizations have historically been slow to patch GoAnywhere MFT even when a vulnerability was under active exploitation for months.

Tenable’s telemetry also shows an abysmal upgrade rate, but some organizations might have first implemented the temporary workaround or pulled the admin portal from the public internet instead.

Greynoise still hasn’t observed CVE-2024-0204 exploitation attempts in the wild.

UPDATE (January 25, 2024, 06:40 a.m. ET):

The Shadowserver Foundation says they are seeing many Fortra GoAnywhere MFT CVE-2024-0204-related exploit attempts based on the public PoC exploit. “Over 120 IPs seen so far … However, we think unlikely these will be successful on larger scale as not many admin portals exposed (only ~50, most patched),” they added.