Exploit code is now available for a critical authentication bypass vulnerability in Fortra's GoAnywhere MFT software that allows attackers to create new admin users on unpatched instances via the administration portal.
GoAnywhere MFT is a web-based managed file transfer tool that helps organizations transfer files securely with partners and keep audit logs of who accessed all shared files.
While Fortra silently patched the bug on December 7 with the release of GoAnywhere MFT 7.4.1, the company only publicly disclosed it today in an advisory offering limited information.
Fortra also issued private advisories to customers on December 4 before fixing the flaw, urging them to secure their MFT services to keep their data safe.
Xhtml file in the installation directory and restarting the services.
Xhtml file with an empty file and restarting the services.
The company told BleepingComputer on Tuesday that there have been no reports of attacks exploiting this vulnerability.
Today, almost seven weeks later, security researchers with Horizon3's Attack Team published a technical analysis of the vulnerability and shared a proof-of-concept exploit that helps create new admin users on vulnerable GoAnywhere MFT instances exposed online.
Their exploit takes advantage of the path traversal issue at the root of CVE-2024-0204 to access the vulnerable /InitialAccountSetup.
Xhtml endpoint and start the initial account setup screen to create a new administrator account.
Now that Horizon3 has released a PoC exploit, it's very likely that threat actors will start scanning for and compromise all GoAnywhere MFT instances left unpatched.
The Clop ransomware gang breached over 100 organizations by exploiting a critical remote code execution flaw in the GoAnywhere MFT software.
Clop's attacks began on January 18, 2023, and Fortra discovered that the flaw was being weaponized to breach its customers' secure file servers on February 3.
Clop's involvement in last year's data theft campaign is part of a much broader pattern of targeting MFT platforms in recent years.
Other instances include the breach of Accellion FTA servers in December 2020, SolarWinds Serv-U servers in 2021, and the widespread exploitation of MOVEit Transfer servers starting June 2023.
Fortra warns of new critical GoAnywhere MFT auth bypass, patch now.
Citrix Bleed exploit lets hackers hijack NetScaler accounts.
Ivanti Connect Secure zero-days now under mass exploitation.
CISA: Critical Microsoft SharePoint bug now actively exploited.
Ivanti warns of Connect Secure zero-days exploited in attacks.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 23 Jan 2024 23:20:04 +0000