Another day, another MFT exploit.
Over the past year, Managed File Transfer (MFT) applications have experienced a notable surge in attacks, a trend we’ve reported on multiple occasions. These tools are appealing targets for multiple reasons: they frequently house sensitive data, and they’re typically designed to function over web-accessible interfaces. While the latter enhances user accessibility, it also often creates additional initial access points, especially since admin interfaces are often misconfigured to allow access from the public internet.
Fortra’s GoAnywhere MFT is one such tool that garnered significant attention last year for CVE-2023-0669, a zero-day that saw widespread exploitation from the Cl0p ransomware gang.
GoAnywhere is back in the news again after a PoC dropped yesterday for a new vulnerability: CVE-2024-0204, a critical authentication bypass bug that allows unauthenticated users to create admin accounts through the administrative console.
The PoC demonstrates how easy this exploit is. A malicious actor can leverage a path traversal bug to redirect to the vulnerable /InitialAccountSetup.xhtml endpoint, revealing GoAnywhere’s initial account setup screen. Note that this vulnerability impacts the admin console, not the web client interface.
While Fortra patched the issue in GoAnywhere 7.4.1 in December, a public security advisory was only released a few days ago, showing a step forward in transparency after a trend of disclosures hidden behind customer login walls.
As of Wednesday January 24, Censys sees slightly fewer than 170 hosts exposing GoAnywhere MFT administrative interfaces on the public internet. Although this isn’t the most extensive level of exposure we’ve encountered, it does raise concerns given the nature of the data stored in these instances. The relatively small number of hosts belies the potential damage that could occur with just one compromise. Given how easy these are to find and the straightforwardness of the exploit, we expect any exposed unpatched instances will likely be compromised.
A vulnerable GoAnywhere MFT administrator interface exposed to the internet
The majority of these admin interfaces are running on the default port settings – 8000 and 8001. Note that there can be more than one service per host.
We see a notable presence of these interfaces in the United States and Europe.
Over 60% of these interfaces are hosted in Amazon, Microsoft, or Google Cloud networks.
We expect to see a rise in scanning and compromise of exposed unpatched GoAnywhere MFT instances. Patching immediately is crucial.
It looks like GoAnywhere vulnerabilities are, in fact, going nowhere for the time being.