Urgent Security Alert: Critical Flaw in GoAnywhere MFT Earns CVSS Score of 10.0
A critical security vulnerability has been discovered in Fortra’s GoAnywhere MFT (Managed File Transfer) solution, a widely used tool for secure data exchange. The flaw, identified as CVE-2024-0204, has been assigned the highest possible severity rating—a CVSS score of 10.0, signifying a severe and easily exploitable weakness that requires immediate attention from administrators.
This vulnerability is an authentication bypass that allows a remote, unauthenticated attacker to create a new administrative user on a vulnerable GoAnywhere MFT instance. With full administrative privileges, an attacker can gain complete control over the system, potentially leading to data theft, ransomware deployment, or further network intrusion.
What is the GoAnywhere MFT Vulnerability (CVE-2024-0204)?
At its core, CVE-2024-0204 is an authentication bypass vulnerability. It exists within a specific component of the software’s web interface, enabling an attacker to bypass normal security checks and directly access the user creation endpoint.
The danger of this flaw is magnified by its simplicity. An attacker does not need any prior access, credentials, or special permissions to exploit it. The low complexity and lack of required user interaction are key reasons for its perfect 10.0 CVSS score. Once exploited, an attacker can create their own admin account, giving them the same level of control as a legitimate system administrator.
Which GoAnywhere MFT Versions Are Affected?
This critical vulnerability impacts older versions of the software. According to the official disclosure, organizations running the following version are at risk:
- GoAnywhere MFT versions prior to 7.4.1
If your organization uses GoAnywhere MFT, it is crucial to verify your current version immediately to determine your exposure.
The Impact: Why This Flaw is So Dangerous
A successful exploit of CVE-2024-0204 grants an attacker complete control over the GoAnywhere MFT server. The potential consequences include:
- Complete Data Compromise: Attackers can view, modify, or exfiltrate any sensitive data managed by the file transfer system.
- System Sabotage: Malicious actors could delete or alter system configurations, disrupting critical business operations.
- Ransomware Deployment: With admin access, an attacker could use the server as a launchpad to deploy ransomware across the network.
- Lateral Movement: The compromised server can serve as an entry point for attackers to move deeper into an organization’s internal network.
This vulnerability echoes the severity of a previous GoAnywhere MFT zero-day flaw (CVE-2023-0669), which was heavily exploited by the Clop ransomware gang to steal data from over 130 organizations. This history underscores the fact that MFT solutions are high-value targets for cybercriminals.
Actionable Steps to Mitigate and Secure Your System
Given the critical nature of this vulnerability, immediate action is required. Administrators should prioritize the following steps to protect their systems.
1. Patch Immediately
The most effective solution is to update your instance to a patched version. Fortra has released GoAnywhere MFT version 7.4.1, which fully remediates this vulnerability. Upgrading should be your top priority.
2. Apply Temporary Workarounds (If You Cannot Patch Immediately)
If patching is not immediately possible, there are mitigation steps you can take to block the exploit path. You can apply this workaround by modifying a configuration file:
- In the
<Install_Dir>/GoAnywhere/rest/web.xmlfile, comment out theservlet-mappingfor theRegistrationandForgotPasswordservlets. - After editing the file, you must restart the GoAnywhere MFT services for the changes to take effect.
Important Note: This is a temporary fix. It may impact legitimate functionality and does not replace the need to apply the official security patch.
3. Hunt for Indicators of Compromise (IoCs)
Since this flaw allows for the creation of new admin users, it is vital to audit your system for any signs of compromise. Review the list of administrative users in your GoAnywhere MFT console. Look for any unfamiliar or unauthorized accounts, especially those created recently. Scrutinize system logs for any suspicious activity related to user creation or unusual login times.
In conclusion, CVE-2024-0204 represents a clear and present danger to any organization using an unpatched version of GoAnywhere MFT. The combination of remote exploitability, low complexity, and high impact necessitates swift and decisive action. Prioritize patching, apply workarounds if necessary, and audit your systems to ensure they have not already been compromised.
Source: https://go.theregister.com/feed/www.theregister.com/2025/09/19/gortra_goanywhere_bug/
