Understanding CVE-2024-0204
This vulnerability, with a high CVSS score of 9.8, arises from a path traversal weakness in the "/InitialAccountSetup.xhtml" endpoint, enabling the creation of administrative users. It affects versions 6.x from 6.0.1 and 7.4.0 and earlier. This flaw was discovered and first reported as early as December 2023 but the company only publicly disclosed it in a recent advisory.
Exploitation & Impact
Creating admin accounts using this vulnerability could result in a full device takeover by cybercriminals, granting such cybercriminals access to sensitive data, the ability to inject malware, and the opportunity to facilitate further network attacks. While there's no current evidence of active exploitation in the wild for CVE-2024-0204, the Horizon3.ai security team has recently published a Proof of Concept (PoC) exploit for the vulnerability, which will likely facilitate threat actors exploiting unpatched instances. One indicator of compromise is the presence of any new additions to the 'Admin users' group in the GoAnywhere administrator portal Users / Admin Users section.
Patch & Mitigation
Fortra urges administrators to upgrade to version 7.4.1. For those unable to apply the fix, temporary workarounds include deleting the "InitialAccountSetup.xhtml" file in the installation directory and restarting services. In container-deployed instances, the recommendation is to replace the file with an empty one and restart services.
Holm Security Vulnerability Management Platform
Holm Security has released an authenticated Vulnerability Test that will verify if the version installed on the target systems is vulnerable to these flaws:
- HID-2-1-5355472 GoAnywhere MFT: Authentication Bypass Vulnerability (fi-2024-001)
For latest information, please refer to this help desk article.
Nicola Albanese
Nicola Albanese is a Security Developer in our Security Research Team. He has written and translated news, reviews, and documentation about electronics, networks, and security devices for nearly 15 years. He also worked as a 2nd-level technician for AT&T backbone EMEA networks before answering the call from information and data security in 2018.