January 24, 2024 at 09:24AM
A critical vulnerability (CVE-2024-0204, CVSS score 9.8) in Fortra’s GoAnywhere MFT allows an unauthenticated attacker to create an admin user. Patches were released on Dec 7, urging customers to update to version 7.4.1. Horizon3.ai published a technical writeup on the bug’s root cause and PoC code one day after the public advisory. Rapid7 advises applying available mitigations.
Key takeaways from the meeting notes:
– A critical vulnerability (CVE-2024-0204) in Fortra’s GoAnywhere MFT product was disclosed and had a CVSS score of 9.8.
– The vulnerability allowed an unauthenticated attacker to create an administrator user for the application via the administration portal.
– The impacted versions were 6.x and 7.x of GoAnywhere MFT.
– Fortra issued patches for the bug on December 7 and recommended updating to version 7.4.1 or higher.
– Horizon3.ai published a technical writeup on the bug’s root cause and made PoC code available within a day of the public advisory.
– The vulnerability appeared to be rooted in a path traversal issue typically found in Tomcat-based applications.
– Rapid7 recommended organizations to ensure that administrative portals are not accessible from the internet and to apply available mitigations if updating to the latest GoAnywhere MFT version is not possible.