GoAnywhere MFT by Fortra: Exploit Released for Authentication Bypass, Admin User Creation

by | Jan 24, 2024 | News

Post Views: 138

Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Reading Time: 3 Minutes

Exploit code has surfaced for a critical authentication bypass vulnerability present in Fortra’s GoAnywhere MFT (Managed File Transfer) software. This vulnerability allows attackers to generate new admin users on instances lacking the latest patches, exploiting the administration portal as the point of entry.

While Fortra silently patched the bug (CVE-2024-0204) on December 7 with the release of GoAnywhere MFT 7.4.1, the company only publicly disclosed it yesterday in an advisory offering limited information. However, Fortra also issued private advisories to customers on December 4 before fixing the flaw, urging them to secure their MFT services to keep their data safe.

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses

Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Admins who haven’t yet and can’t immediately upgrade to the last version are advised to remove the attack vector by deleting the InitialAccountSetup.xhtml file in the installation directory and restarting the services, or by replacing the InitialAccountSetup.xhtml file with an empty file and restarting the services. The company stated that there have been no reports of attacks exploiting this vulnerability.

Security researchers with Horizon3’s Attack Team have published a technical analysis of the vulnerability and shared a proof-of-concept (PoC) exploit that helps create new admin users on vulnerable GoAnywhere MFT instances exposed online. Their exploit takes advantage of the path traversal issue at the root of CVE-2024-0204 to access the vulnerable /InitialAccountSetup.xhtml endpoint and start the initial account setup screen to create a new administrator account.

Exploit used to create new GoAnywhere MFT admin users (Horizon3)

Trending: OSINT Tool: apk2url

With the release of a PoC exploit, it’s likely that threat actors will start scanning for and compromising all GoAnywhere MFT instances left unpatched.

This vulnerability has been linked to the Clop ransomware gang’s breach campaign, which targeted over 100 organizations by exploiting a critical remote code execution flaw (CVE-2023-0669) in the GoAnywhere MFT software.

The list of victims includes healthcare giant Community Health Systems (CHS), Procter & Gamble, Rubrik, Hitachi Energy, Hatch Bank, Saks Fifth Avenue, and the City of Toronto, Canada. This incident is part of a broader pattern of targeting MFT platforms in recent years, including the breach of Accellion FTA servers in December 2020, SolarWinds Serv-U servers in 2021, and the widespread exploitation of MOVEit Transfer servers starting May 27, 2023.

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link