Fortra GoAnywhere Patch Now: Flaw lets anyone be admin
Fortra has recently identified a severe security vulnerability in its GoAnywhere Managed File Transfer (MFT) software. This vulnerability, designated as CVE-2024-0204, is of high concern with a CVSS score of 9.8 out of 10, indicating its critical nature.
The security flaw allows for an authentication bypass in versions of GoAnywhere MFT earlier than 7.4.1. Exploiting this vulnerability, an unauthorized individual could create a new administrator account through the administration portal. Fortra released this information in a security advisory on January 22, 2024.
For users unable to update to version 7.4.1 immediately, Fortra recommends certain temporary measures. In non-containerized deployments, one can mitigate the risk by deleting the InitialAccountSetup.xhtml file found in the installation directory and then restarting the associated services.
In instances where GoAnywhere MFT is deployed in containers, the suggested workaround is to replace the InitialAccountSetup.xhtml file with an empty file and subsequently restart the system. These steps are critical interim solutions to safeguard the system against potential unauthorized administrative access.