A recent zero-day vulnerability in Fortra’s GoAnywhere Managed File Transfer (MFT) software has surfaced, posing a severe security risk.

Identified as CVE-2024–0204, this vulnerability has sent a wave of concern across the cybersecurity community due to its high potential for exploitation.

Let’s dissect this vulnerability.

CVE-2024–0204 manifests as an authentication bypass in versions of GoAnywhere MFT prior to 7.4.1.

Essentially, it allows an unauthorized individual to create an admin user via the administration portal. This is particularly alarming because of the level of access and control an admin account holds.

Fortra issued an advisory on January 22, 2024, describing the problem and providing mitigation steps.

They advise users who cannot immediately upgrade to the patched version 7.4.1 to delete or replace the InitialAccountSetup.xhtml file in their installation directory and restart their services.

The heart of this issue lies in a path traversal weakness in the /InitialAccountSetup.xhtml endpoint.

Path traversal vulnerabilities occur when software fails to properly sanitize input, allowing attackers to access or manipulate files outside of the intended directory.

In this case, the flaw could be exploited to create administrative users.

A detailed technical explanation of this vulnerability, including proof-of-concept (PoC) code, is available on GitHub, provided by Horizon3.ai.

You can explore it here.

This repository offers valuable insights into how the vulnerability can be exploited, making it a crucial resource for both security professionals and concerned users.