Fortra's GoAnywhere MFT (Managed File Transfer) platform was found to contain a critical path traversal vulnerability (CVE-2024-0204, CVSS 9.8) that allows unauthenticated attackers to create administrator accounts on exposed instances. This vulnerability follows a pattern of MFT platform compromises that have been heavily exploited by ransomware groups, most notably the Cl0p group's mass exploitation of MOVEit Transfer in 2023.
Root Cause Analysis
The vulnerability exists in GoAnywhere MFT's administrative web interface. The application implements an initial setup wizard that is intended to be accessible only during first-time configuration. However, a path traversal flaw in the request routing allows an attacker to access the account creation endpoint of the setup wizard even on fully configured production instances.
By crafting a request that traverses the directory structure to reach /InitialAccountSetup.xhtml, an attacker bypasses the check that determines whether the initial setup has already been completed. The application then processes the request as if it were a legitimate first-time setup, creating a new administrator account with attacker-specified credentials.
Exploitation at Scale
Our external scanning identified over 1,000 GoAnywhere MFT instances directly exposed to the internet, with significant concentrations in the financial services, healthcare, and government sectors, precisely the industries that rely on managed file transfer for regulatory compliance. Within one week of PoC publication, we observed active exploitation attempts across our sensor network.
The vulnerability is especially concerning because GoAnywhere MFT instances typically have access to sensitive data in transit: financial records, healthcare data, legal documents, and other regulated information. An attacker with admin access can view, download, and exfiltrate all files processed through the platform.
Remediation
Organizations should update to GoAnywhere MFT 7.4.1 or later immediately. As a temporary mitigation, restrict access to the administrative interface to trusted networks only and audit admin account lists for any unauthorized additions. Strobes EASM can identify internet-exposed GoAnywhere instances across your organization's attack surface and flag vulnerable versions automatically.