Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2024-0204 — Forced Browsing in Goanywhere MFT

CWE-425 — Forced Browsing CWE-89 — SQL Injection CWE-502 — Deserialization of Untrusted Data18 documents12 sources

Severity

9.8CRITICALNVD

VulnCheck7.2

EPSS

93.0%

top 0.21%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Fortra Goanywhere MFT Fortra Goanywhere Managed File Transfer Google Chrome Chrome

Timeline

PublishedJan 22

Latest updateMay 29

Description

Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5fortra/goanywhere_mft6.0.1 — 7.4.1

▶NVDfortra/goanywhere_managed_file_transfer7.0.0 — 7.4.1+1

▶googlegoogle/chrome_chrome

🔴Vulnerability Details

GHSA

GHSA-f8xf-39w2-mrc6: Authentication bypass in Fortra's GoAnywhere MFT prior to 7↗2024-01-22

▶

VulnCheck

Fortra GoAnywhere MFT Direct Request ('Forced Browsing')↗2024

▶

VulnCheck

Progress MOVEit Transfer SQL Injection Vulnerability↗2023

▶

VulnCheck

Fortra GoAnywhere MFT Remote Code Execution Vulnerability↗2023

▶

💥Exploits & PoCs

Exploit-DB

Fortra GoAnywhere MFT 7.4.1 - Authentication Bypass↗2025-05-29

▶

Metasploit

Fortra GoAnywhere MFT Unauthenticated Remote Code Execution↗

▶

Nuclei

Fortra GoAnywhere MFT - Authentication Bypass

▶

🔍Detection Rules

Suricata

ET WEB_SPECIFIC_APPS GoAnywhere MFT Authentication Bypass Attempt - POST Request M1 (CVE-2024-0204)↗2024-01-24

▶

Suricata

ET WEB_SPECIFIC_APPS GoAnywhere MFT Authentication Bypass Attempt - GET Request M1 (CVE-2024-0204)↗2024-01-24

▶

📋Vendor Advisories

Chrome

Long Term Support Channel Update for ChromeOS: CVE-2024-0204↗2024-03-11

▶

🕵️Threat Intelligence

Securelist

Advanced threat predictions for 2025↗2024-11-25

▶

Securelist

Advanced threat predictions for 2025↗2024-11-25

▶

Tenable

Cybersecurity Snapshot: LockBit Gang Gets Knocked Down, as CISA Stresses Security of Water Plants↗2024-02-23

▶

Wiz

Crying Out Cloud - February Newsletter | Wiz↗2024-02-01

▶

Bleepingcomputer

Fortra warns of new critical GoAnywhere MFT auth bypass, patch now↗2024-01-23

▶