CVE-2022-36071 is a security vulnerability classified under CWE-287 (Improper Authentication) affecting the SFTPGo software, a configurable SFTP server that also supports HTTP/S, FTP/S, and WebDAV protocols. SFTPGo includes a WebAdmin and WebClient interface that supports two-factor authentication (2FA) using Time-based One Time Passwords (TOTP) as a secondary authentication factor. To mitigate risks associated with loss or damage of TOTP-configured devices, SFTPGo allows the use of recovery codes—one-time use codes that can bypass TOTP requirements. However, in versions 2.2.0 through 2.3.3, recovery codes could be generated before enabling 2FA on an account. This flaw enables an attacker who has obtained a user's password to generate recovery codes prior to 2FA activation and subsequently bypass the 2FA protection once it is enabled. This improper authentication mechanism undermines the security benefits of 2FA, effectively allowing attackers with password knowledge to circumvent the second authentication factor. The vulnerability was addressed in version 2.3.4, where recovery codes can only be generated after 2FA is enabled and are deleted upon disabling 2FA, closing the loophole. No known exploits have been reported in the wild to date. The vulnerability requires the attacker to know the user's password but does not require additional user interaction beyond that. The scope of affected systems includes any deployment of SFTPGo versions between 2.2.0 and 2.3.3 that have 2FA enabled or planned to be enabled. Given the nature of SFTPGo as a file transfer server, exploitation could lead to unauthorized access to sensitive files and data, compromising confidentiality and integrity of data transfers and stored files.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive data managed via SFTPGo servers. Organizations relying on SFTPGo for secure file transfers, especially those in regulated sectors such as finance, healthcare, and government, could face unauthorized data access if attackers exploit this flaw. The bypass of 2FA reduces the effectiveness of multi-factor authentication, increasing the risk of account compromise through credential theft or phishing. This could lead to data breaches, intellectual property theft, or disruption of business operations. Additionally, compromised accounts could be used to distribute malware or ransomware within organizational networks. The vulnerability's impact is heightened in environments where password hygiene is weak or where password reuse is common. Since SFTPGo supports multiple protocols, the attack surface extends beyond SFTP to HTTP/S, FTP/S, and WebDAV interfaces, potentially broadening the scope of exploitation. While no active exploits are currently known, the presence of this vulnerability in production systems could invite targeted attacks, especially in high-value European sectors.

European organizations using SFTPGo should immediately upgrade affected instances to version 2.3.4 or later, where the vulnerability is fixed. Beyond patching, organizations should audit user accounts to ensure that recovery codes were not generated prior to enabling 2FA and revoke any such codes if found. Implement strict password policies to reduce the risk of password compromise, including enforcing strong, unique passwords and regular password changes. Employ network segmentation and monitoring to detect unusual access patterns to SFTPGo servers. Enable logging and alerting for recovery code generation and 2FA configuration changes to detect potential abuse. Consider integrating SFTPGo authentication with centralized identity providers that support stronger authentication mechanisms and monitoring. For critical environments, consider additional compensating controls such as IP whitelisting, VPN access restrictions, or hardware-based 2FA tokens to reduce reliance on recovery codes. Finally, conduct user training to raise awareness about phishing and credential theft risks that could lead to password compromise.