On January 22, 2024, Fortra disclosed a critical severity vulnerability (CVE-2024-0204, CVSS 9.8) impacting versions prior to 7.4.1 of their GoAnywhere Managed File Transfer (MFT) product.
The flaw consists of a an authentication bypass which enables a potential attacker to gain access to the administration portal and create an administrator user with subsequent privileged access to all the resources and permissions that belong to the administrator. According to the Fortra report, the issue was discovered on December 1, 2023.
Fortra's advisory indicates upgrading is the preferable remediation method. The same source offers potential workarounds:
In non-container deployments: Deletion of the InitialAccountSetup.xhtml file in the install directory and restart of the services resolves the issue;
In container deployments: Replacement of the abovementioned file with an empty file and reboot resolves the issue.
There is a public proof-of-concept exploit; Horizon3.ai released it on GitHub on January 23, 2024.
This vulnerability poses significant concerns particularly in connection to the ransomware threat landscape. In January 2023, a separate flaw impacting GoAnywhere MFT (CVE-2023-0669) was exploited by the Cl0p ransomware group in a campaign making broad impact.
According to United States Cybersecurity and Infrastructure Security report, tooling observed in connection to Cl0p ransomware attacks includes initial intrusion via a set of remote access trojans (i.e. FlawedAmmyy, Truebot), deployment of tools such as SDBot and Cobalt Strike for lateral movement, and webshells as such Dewmode and Lemurloot.