CVE-2024-0204
published 2024-01-22CVE-2024-0204: Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.
PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
95.09%
99.9th percentile
Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fortra | goanywhere_managed_file_transfer | — | — |
| fortra | goanywhere_managed_file_transfer | >= 7.0.0 < 7.4.1 | 7.4.1 |
| fortra | goanywhere_mft | >= 6.0.1 < 7.4.1 | 7.4.1 |
| chrome_chrome | — | — |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
matchers: words: ["Create an administrator account", "goanywhere"] AND status: 200
- →Check for new or unexpected accounts in the GoAnywhere MFT 'Admin Users' group (Users -> Admin Users) as the primary indicator of compromise; review last logon timestamps to estimate date of compromise. ↗
- →Detect path traversal attempts targeting the InitialAccountSetup.xhtml endpoint via the '..;/' bypass pattern in HTTP request paths (e.g., /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml). ↗
- →Use Shodan favicon hashes 1484947000, 1828756398, or 1170495932 to identify internet-exposed GoAnywhere MFT instances for proactive asset discovery and patching prioritization. ↗
- →The Metasploit module for CVE-2024-0204 chains admin account creation with JSP payload upload to achieve RCE; monitor for unexpected JSP file uploads following any suspicious admin account creation events. ↗
- ·The vulnerable InitialAccountSetup.xhtml endpoint should not be accessible after initial server setup; its presence and accessibility indicates either a misconfiguration or an unpatched installation. Mitigation (short of patching to 7.4.1) is to delete or replace this file with an empty file and restart services. ↗
- ·The vulnerability affects GoAnywhere MFT 6.x from 6.0.1 and all 7.x versions before 7.4.1; the fix was silently released on December 7, 2023, but public disclosure was delayed by approximately seven weeks, increasing exposure window. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f8xf-39w2-mrc6: Authentication bypass in Fortra's GoAnywhere MFT prior to 7
ghsa_unreviewed·2024-01-22
CVE-2024-0204 [CRITICAL] CWE-425 GHSA-f8xf-39w2-mrc6: Authentication bypass in Fortra's GoAnywhere MFT prior to 7
Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.
VulnCheck
Fortra GoAnywhere MFT Direct Request ('Forced Browsing')
vulncheck·2024·CVSS 9.8
CVE-2024-0204 [CRITICAL] Fortra GoAnywhere MFT Direct Request ('Forced Browsing')
Fortra GoAnywhere MFT Direct Request ('Forced Browsing')
Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.
Affected: Fortra GoAnywhere MFT
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-25&host_type=src&vulnerability=cve-2024-0204; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-26&host_type=src&vulnerability=cve-2024-0204; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-27&host_type=src&vulnerabilit
VulnCheck
Progress MOVEit Transfer SQL Injection Vulnerability
vulncheck·2023·CVSS 9.8
CVE-2023-34362 [CRITICAL] CWE-89 Progress MOVEit Transfer SQL Injection Vulnerability
Progress MOVEit Transfer SQL Injection Vulnerability
Progress MOVEit Transfer contains a SQL injection vulnerability that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements.
Affected: Progress MOVEit Transfer
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://cisa.gov/news-events/alerts/2023/06/01/progress-software-releases-security-advisory-moveit-transfer; https://twitter.com/cglyer/status/166553916246273
VulnCheck
Fortra GoAnywhere MFT Remote Code Execution Vulnerability
vulncheck·2023·CVSS 7.2
CVE-2023-0669 [HIGH] CWE-502 Fortra GoAnywhere MFT Remote Code Execution Vulnerability
Fortra GoAnywhere MFT Remote Code Execution Vulnerability
Fortra (formerly, HelpSystems) GoAnywhere MFT contains a pre-authentication remote code execution vulnerability in the License Response Servlet due to deserializing an attacker-controlled object.
Affected: Fortra GoAnywhere MFT
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.huntress.com/blog/investigating-intrusions-from-intriguing-exploits; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.hhs.gov/sites/default/files/clop-allegedly-targeting-healthcare-industry-sector-alert.pdf; https://www.rubrik.com/blog/company/23/3/fortra-goanywhere; https://www.bleepingcomputer.com/news/security/hitachi-energy-
Chrome
Long Term Support Channel Update for ChromeOS: CVE-2024-0204
vendor_chrome·2024-03-11·CVSS 9.8
CVE-2024-0204 [CRITICAL] Long Term Support Channel Update for ChromeOS: CVE-2024-0204
Long Term Support Channel Update for ChromeOS
CVE-2024-0204
Suricata
ET WEB_SPECIFIC_APPS GoAnywhere MFT Authentication Bypass Attempt - POST Request M1 (CVE-2024-0204)
suricata·2024-01-24·CVSS 9.8
CVE-2024-0204 [CRITICAL] ET WEB_SPECIFIC_APPS GoAnywhere MFT Authentication Bypass Attempt - POST Request M1 (CVE-2024-0204)
ET WEB_SPECIFIC_APPS GoAnywhere MFT Authentication Bypass Attempt - POST Request M1 (CVE-2024-0204)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GoAnywhere MFT Authentication Bypass Attempt - POST Request M1 (CVE-2024-0204)"; flow:established,to_server; http.request_line; content:"POST /goanywhere/"; startswith; pcre:"/^.{0,10}(?:(?:\x2e|%2[Ee]){1,2}(?:\x3b|%3[Bb]){1,})/R"; content:"/wizard/InitialAccountSetup.xhtml"; within:60; fast_pattern; reference:url,www.horizon3.ai/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive/; reference:cve,2024-0204; classtype:attempted-admin; sid:2050436; rev:3; metadata:affected_product Web_Server_Applications, created_at 2024_01_24, cve CVE_2024_0204, deployment Perimeter, deployment Internal, deployment SSLDecryp
Suricata
ET WEB_SPECIFIC_APPS GoAnywhere MFT Authentication Bypass Attempt - GET Request M1 (CVE-2024-0204)
suricata·2024-01-24·CVSS 9.8
CVE-2024-0204 [CRITICAL] ET WEB_SPECIFIC_APPS GoAnywhere MFT Authentication Bypass Attempt - GET Request M1 (CVE-2024-0204)
ET WEB_SPECIFIC_APPS GoAnywhere MFT Authentication Bypass Attempt - GET Request M1 (CVE-2024-0204)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GoAnywhere MFT Authentication Bypass Attempt - GET Request M1 (CVE-2024-0204)"; flow:established,to_server; http.request_line; content:"GET /goanywhere/"; startswith; pcre:"/^.{0,10}(?:(?:\x2e|%2[Ee]){1,2}(?:\x3b|%3[Bb]){1,})/R"; content:"/wizard/InitialAccountSetup.xhtml"; within:60; fast_pattern; reference:url,www.horizon3.ai/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive/; reference:cve,2024-0204; classtype:attempted-admin; sid:2050434; rev:3; metadata:affected_product Web_Server_Applications, created_at 2024_01_24, cve CVE_2024_0204, deployment Perimeter, deployment Internal, deployment SSLDecrypt,
Suricata
ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)
suricata·2015-03-11·CVSS 4.3
CVE-2015-0204 [MEDIUM] ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)
ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)
Rule: alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,to_client; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 19|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020661; rev:4; metadata:created_at 2015_03_11, cve CVE_2015_0204, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_
Exploit-DB
Fortra GoAnywhere MFT 7.4.1 - Authentication Bypass
exploitdb·2025-05-29·CVSS 9.8
CVE-2024-0204 [CRITICAL] Fortra GoAnywhere MFT 7.4.1 - Authentication Bypass
Fortra GoAnywhere MFT 7.4.1 - Authentication Bypass
---
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# Exploit Title: Fortra GoAnywhere MFT 7.4.1 - Authentication Bypass
# Date: 2025-05-25
# Exploit Author: @ibrahimsql
# Exploit Author's github: https://github.com/ibrahimsql
# Vendor Homepage: https://www.fortra.com/products/secure-file-transfer/goanywhere-mft
# Software Link: https://www.fortra.com/products/secure-file-transfer/goanywhere-mft/free-trial
# Version: Dict:
"""
Check if target is vulnerable to CVE-2024-0204 and attempt to create an admin account
Args:
target: The target URL/domain to check
Returns:
Dict containing result information
"""
result = {
"target": target,
"vulnerable": False,
"message": "",
"admin_created": False,
"error": None
}
# Try primary exploit path fi
Metasploit
Fortra GoAnywhere MFT Unauthenticated Remote Code Execution
metasploit
Fortra GoAnywhere MFT Unauthenticated Remote Code Execution
Fortra GoAnywhere MFT Unauthenticated Remote Code Execution
This module exploits a vulnerability in Fortra GoAnywhere MFT that allows an unauthenticated attacker to create a new administrator account. This can be leveraged to upload a JSP payload and achieve RCE. GoAnywhere MFT versions 6.x from 6.0.1, and 7.x before 7.4.1 are vulnerable.
Nuclei
Fortra GoAnywhere MFT - Authentication Bypass
nuclei·CVSS 9.8
CVE-2024-0204 [CRITICAL] Fortra GoAnywhere MFT - Authentication Bypass
Fortra GoAnywhere MFT - Authentication Bypass
Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.
Template:
id: CVE-2024-0204
info:
name: Fortra GoAnywhere MFT - Authentication Bypass
author: DhiyaneshDK
severity: critical
description: |
Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.
impact: |
Unauthenticated attackers can bypass authentication to create administrator accounts, leading to complete control over the GoAnywhere MFT system and access to all managed file transfers and sensitive data.
remediation: |
Upgrade to Fortra GoAnywhere MFT version 7.4.1 or later.
reference:
- https://my.goan
Securelist
Advanced threat predictions for 2025
blogs_securelist·2024-11-25
Advanced threat predictions for 2025
Table of Contents
Review of last year’s predictions
The rise of creative exploits for mobile, wearables and smart devices
Building new botnets with consumer and corporate software and appliances
Barriers to kernel-level code execution increasingly evaded (kernel rootkits hot again)
Growth in cyberattacks by state-sponsored actors
Hacktivism in cyber-warfare: the new normal in geopolitical conflicts
Supply chain attacks as a service: operators bulk-buying access
Spear-phishing to expand with accessible generative AI
Emergence of more groups offering hack-for-hire services
MFT systems at the forefront of cyberthreats
APT predictions for 2025
Hacktivist alliances to escalate in 2025
The IoT to become a growing attack vector for APTs in 2025
Increasing supply chain attacks on ope
Securelist
Advanced threat predictions for 2025
blogs_securelist·2024-11-25·CVSS 8.8
[HIGH] Advanced threat predictions for 2025
Table of Contents
- Review of last year’s predictions
- APT predictions for 2025
Authors
- Igor Kuznetsov
- Giampaolo Dedola
- Georgy Kucherin
- Maher Yamout
- Vasily Berdnikov
- Isabel Manjarrez
- Ilya Savelyev
- Joao Godinho
We at Kaspersky’s Global Research and Analysis Team monitor over 900 APT (advanced persistent threat) groups and operations. At the end of each year, we take a step back to assess the most complex and sophisticated attacks that have shaped the threat landscape. These insights enable us to anticipate emerging trends and build a clearer picture of what the APT landscape may look like in the year ahead.
In this article in the KSB series, we review the trends of the past year, reflect on the predictions we made for 2024, and offer insights into what we can expect in
Tenable
Cybersecurity Snapshot: LockBit Gang Gets Knocked Down, as CISA Stresses Security of Water Plants
blogs_tenable·2024-02-23
Cybersecurity Snapshot: LockBit Gang Gets Knocked Down, as CISA Stresses Security of Water Plants
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Wiz
Crying Out Cloud - February Newsletter | Wiz
blogs_wiz·2024-02-01·CVSS 9.8
CVE-2023-33246 [CRITICAL] Crying Out Cloud - February Newsletter | Wiz
This month we’ve seen a lot of action, with both vulnerabilities and security incidents that have left users affected. We bring you the latest cloud security highlights, to help you stay informed and stay secure. Let's dive in.
Here are our top picks!
## 🐞 High Profile Vulnerabilities
Apache RocketMQ RCE vulnerability exploited in-the-wild
In August 2023 researchers identified attackers exploiting CVE-2023-33246, a critical vulnerability in Apache RocketMQ, to install the DreamBus bot, a malware strain last reported about publicly in 2021. On January 5, 2024 Apache stated that the patch for CVE-2023-33246 was in fact insufficient, and an additional CVE was assigned to the bypass - CVE-2023-37582. The latter vulnerability is also being exploited in the wild, so it is recommended to patc
Bleepingcomputer
Fortra warns of new critical GoAnywhere MFT auth bypass, patch now
blogs_bleepingcomputer·2024-01-23·CVSS 9.8
[CRITICAL] Fortra warns of new critical GoAnywhere MFT auth bypass, patch now
## Fortra warns of new critical GoAnywhere MFT auth bypass, patch now
## Bill Toulas
Fortra is warning of a new authentication bypass vulnerability impacting GoAnywhere MFT (Managed File Transfer) versions before 7.4.1 that allows an attacker to create a new admin user.
GoAnywhere MFT is used by organizations worldwide to secure transfer files with customers and business partners. It supports secure encryption protocols, automation, centralized control, and various logging and reporting tools that aid in legal compliance and auditing.
The newly disclosed flaw is tracked as CVE-2024-0204 and is rated critical with a CVSS v3.1 score of 9.8 as it is remotely exploitable, allowing an unauthorized user to create admin users via the product’s administration portal.
Creating arbitrary accoun
Bleepingcomputer
Exploit released for Fortra GoAnywhere MFT auth bypass bug
blogs_bleepingcomputer·2024-01-23·CVSS 9.8
[CRITICAL] Exploit released for Fortra GoAnywhere MFT auth bypass bug
## Exploit released for Fortra GoAnywhere MFT auth bypass bug
## Sergiu Gatlan
Exploit code is now available for a critical authentication bypass vulnerability in Fortra's GoAnywhere MFT (Managed File Transfer) software that allows attackers to create new admin users on unpatched instances via the administration portal.
GoAnywhere MFT is a web-based managed file transfer tool that helps organizations transfer files securely with partners and keep audit logs of who accessed all shared files.
While Fortra silently patched the bug ( CVE-2024-0204 ) on December 7 with the release of GoAnywhere MFT 7.4.1, the company only publicly disclosed it today in an advisory offering limited information (more details are available in a private customer advisory ).
However, Fortra also issued private
Tenable
CVE-2024-0204: Fortra GoAnywhere MFT Authentication Bypass Vulnerability
blogs_tenable·2024-01-23·CVSS 9.8
[CRITICAL] CVE-2024-0204: Fortra GoAnywhere MFT Authentication Bypass Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
http://packetstormsecurity.com/files/176683/GoAnywhere-MFT-Authentication-Bypass.htmlhttp://packetstormsecurity.com/files/176974/Fortra-GoAnywhere-MFT-Unauthenticated-Remote-Code-Execution.htmlhttps://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtmlhttps://www.fortra.com/security/advisory/fi-2024-001http://packetstormsecurity.com/files/176683/GoAnywhere-MFT-Authentication-Bypass.htmlhttp://packetstormsecurity.com/files/176974/Fortra-GoAnywhere-MFT-Unauthenticated-Remote-Code-Execution.htmlhttps://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtmlhttps://www.fortra.com/security/advisory/fi-2024-001
2024-01-22
Published
Exploited in the wild