cbcvebase.
CVE-2024-0204
published 2024-01-22

CVE-2024-0204: Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
95.09%
99.9th percentile
Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.

Affected

4 ranges
VendorProductVersion rangeFixed in
fortragoanywhere_managed_file_transfer
fortragoanywhere_managed_file_transfer>= 7.0.0 < 7.4.17.4.1
fortragoanywhere_mft>= 6.0.1 < 7.4.17.4.1
googlechrome_chrome

Detection & IOCsextracted from sources · hover to see the quote

path/goanywhere/images/..;/wizard/InitialAccountSetup.xhtml
path/InitialAccountSetup.xhtml
filenameInitialAccountSetup.xhtml
otherhttp.favicon.hash:1484947000
othericon_hash=1484947000
yara
matchers: words: ["Create an administrator account", "goanywhere"] AND status: 200
  • Check for new or unexpected accounts in the GoAnywhere MFT 'Admin Users' group (Users -> Admin Users) as the primary indicator of compromise; review last logon timestamps to estimate date of compromise.
  • Detect path traversal attempts targeting the InitialAccountSetup.xhtml endpoint via the '..;/' bypass pattern in HTTP request paths (e.g., /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml).
  • Use Shodan favicon hashes 1484947000, 1828756398, or 1170495932 to identify internet-exposed GoAnywhere MFT instances for proactive asset discovery and patching prioritization.
  • The Metasploit module for CVE-2024-0204 chains admin account creation with JSP payload upload to achieve RCE; monitor for unexpected JSP file uploads following any suspicious admin account creation events.
  • ·The vulnerable InitialAccountSetup.xhtml endpoint should not be accessible after initial server setup; its presence and accessibility indicates either a misconfiguration or an unpatched installation. Mitigation (short of patching to 7.4.1) is to delete or replace this file with an empty file and restart services.
  • ·The vulnerability affects GoAnywhere MFT 6.x from 6.0.1 and all 7.x versions before 7.4.1; the fix was silently released on December 7, 2023, but public disclosure was delayed by approximately seven weeks, increasing exposure window.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.