Popular file transfer software has a seriously dangerous security bug that gives anyone free administrator rights — so patch it now to avoid another Moveit-like debacle
A bug allows threat actors to create a new admin account
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
GoAnywhere ManagedFile Transfer(MFT), the program at the center of a major data reach scandal around a year ago, may have a new high-severity vulnerability which users should patch immediately to avoid more trouble.
Cybersecurity researchers Mohammed Eldeeb and Islam Elrfai from Spark Engineering Consultants discovered the flaw in December 2023, and disclosed it to GoAnywhere’s developer, Fortra.
It is described as a path traversal weakness, and tracked as CVE-2024-0204. It has a severity score of 9.8/10, making it critical.
A workaround is available, too
As explained by the researchers, as well as cybersecurity firm Horizon3.ai, which subsequently published a proof-of-concept (PoC) exploit, the vulnerability can be used to create a new administrator user for the tool:
“Authentication bypass in Fortra’s GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal,” a new Fortra advisoryreads.
“The easiest indicator of compromise that can be analyzed is for any new additions to the Admin Users group in the GoAnywhere administrator portal Users -> Admin Users section,” Horizon3.ai security researcher Zach Hanley said. “If the attacker has left this user here you may be able to observe its last logon activity here to gauge an approximate date of compromise.”
Those who are unable to apply the patch at this time can apply a temporary workaround in non-container deployment - delete the InitialAccountSetup.xhtml file in the install directory and then restart the device. For container-deployed instances, Fortra recommends replacing the file with an empty one before restarting.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
There is currently no evidence of the vulnerability being exploited in the wild, but with the news broken, and a PoC available, it’s only a matter of time before unpatched endpoints get targeted. Users should apply the patch immediately and avoid risking the integrity of their data.
Last year, a vulnerability in GoAnywhere resulted in sensitive data from almost 130 organizations being stolen.
ViaTheHackerNews
More from TechRadar Pro
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
A new form of macOS malware is being used by devious North Korean hackers
Scammers are using fake copyright infringement claims to hack businesses
Quordle today – hints and answers for Saturday, November 9 (game #1020)