Fortra has warned of a critical vulnerability in its widely used GoAnywhere MFT (Managed File Transfer) that could allow hackers to compromise unpatched instances.

GoAnywhere MFT is a popular file-sharing service used by large businesses to share sensitive files securely.

Tracked as CVE-2024-0204, the vulnerability is an authentication bypass issue related to the lack of authorization checks related to the InitialAccountSetup.xhtml file, along with a path normalization issue. If exploited, the bug allows a remote non-authenticated attacker to bypass the authentication process and gain full control over the system by creating an administrative account.

The flaw affects GoAnywhere MFT 6.x from 6.0.1 and Fortra GoAnywhere MFT 7.4.0 and earlier and was fixed in GoAnywhere MFT 7.4.1. Fortra addressed this vulnerability in a December 7, 2023 release of GoAnywhere MFT but, for some reason, publicly disclosed the vulnerability only now.

“Upgrade to version 7.4.1 or higher. The vulnerability may also be eliminated in non-container deployments by deleting the InitialAccountSetup.xhtml file in the install directory and restarting the services. For container-deployed instances, replace the file with an empty file and restart,” the company recommended.

While there’s no indication that this flaw is being exploited in the wild, a proof-of-concept code (PoC) for CVE-2024-0204 is available, meaning that active exploitation attempts are likely to follow soon.

In February 2023, another critical vulnerability (CVE-2023-0669) in GoAnywhere MFT was exploited as a zero-day in a large-scale extortion campaign conducted by the Cl0p ransomware group, which affected more than 100 organizations worldwide.