Share this article on:
Roughly a year after being at the centre of one of the world’s largest supply chain attacks, Fortra has revealed a new critical vulnerability with its GoAnywhere MFT file-sharing service.
The vulnerability – CVE-2024-0204 – when exploited, would allow an attack to create a new admin user through GoAnywhere’s administration portal.
Threat actors could potentially harness this to gain access to administrative privileges, allowing them to steal data, disable services, launch malware or take over devices completely.
CVE-2024-0204 has been given a critical CVSS v3.1 rating of 9.8 out of 10 due to the fact that a threat actor could exploit it remotely.
Fortra said that affected versions include GoAnywhere MFT6.x from 6.0.1 and 7.x before 7.4.1.
To secure their systems, Fortra has told customers to “upgrade to version 7.4.1 or higher”.
“The vulnerability may also be eliminated in non-container deployments by deleting the InitialAccountSetup.xhtml file in the install directory and restarting the services,” added Fortra.
While the vulnerability was discovered back on 1 December 2023 and was patched under a week later on 7 December, Fortra only publicly disclosed the vulnerability and the patch on 22 January 2024.
However, the company issued private advisories to customers on 4 December before the vulnerability was fixed, pushing for them to secure their systems, without making the issue public and aware to potential threat actors.
Additionally, Fortra told BleepingComputer that it had not observed any cases of exploitation.
“We have no reports of active exploitation in the wild regarding this CVE. This was patched in December 2023,” it said.
While the patch has been released, the public advisory may encourage threat actors to attempt to exploit the vulnerability, hoping to catch companies that have not yet patched.
Just over a year ago, hackers leveraged a vulnerability with GoAnywhere MFT, resulting in 130 companies being breached.
The Clop ransomware group had reportedly exploited zero-day vulnerability CVE-2023-0669 from 18 January 2023, with Fortra only discovering the exploitation on 3 February 2023.
It impacted a number of major organisations and agencies, including Meriton, Crown Resorts, Rio Tinto, the Tasmanian government and many more.
Not long after, Clop moved on to the MOVEit file transfer platform, which reached another 2,611 organisations. The two supply chain attacks earned the threat group the title of the most prolific operator of 2023.