Skip to main content

Fortra GoAnywhere MFT 7.4.1 - Authentication Bypass

Medium
Published: Thu May 29 2025 (05/29/2025, 00:00:00 UTC)
Source: Exploit-DB RSS Feed

Description

Fortra GoAnywhere MFT 7.4.1 - Authentication Bypass

AI-Powered Analysis

AILast updated: 06/11/2025, 21:16:03 UTC

Technical Analysis

The Fortra GoAnywhere MFT 7.4.1 Authentication Bypass vulnerability (CVE-2024-0204) is a critical security flaw affecting versions prior to 7.4.1 of the GoAnywhere Managed File Transfer (MFT) software. This vulnerability arises from a path traversal weakness that allows unauthenticated attackers to bypass the authentication mechanism entirely. By exploiting this flaw, attackers can access the initial account setup wizard, which is normally only accessible during initial installation or configuration. This access enables them to create a new administrator account with arbitrary credentials without any prior authentication. The exploit leverages two distinct path traversal techniques to maximize success across different server configurations: one using the path "/goanywhere/images/..;/wizard/InitialAccountSetup.xhtml" and the other "/goanywhere/..;/wizard/InitialAccountSetup.xhtml". The exploit script is implemented in Python 3 and uses the requests library to interact with the target server over HTTPS, bypassing SSL verification warnings. It first checks the target's vulnerability by sending GET requests to the crafted paths and analyzing HTTP response codes and content. If the target is vulnerable, it parses the response HTML to extract the required javax.faces.ViewState token, which is necessary for submitting the form to create an admin account. The script then submits a POST request with the attacker-supplied username and password to create the admin account. The vulnerability allows complete administrative control over the GoAnywhere MFT server, enabling attackers to manipulate file transfers, access sensitive data, and potentially pivot to other internal systems. The exploit requires no authentication or user interaction, making it highly dangerous. No official patch links are provided yet, but the vendor has released version 7.4.1 to address this issue. The exploit code is publicly available, increasing the risk of widespread exploitation once discovered.

Potential Impact

For European organizations using Fortra GoAnywhere MFT versions prior to 7.4.1, this vulnerability poses a severe risk. Successful exploitation grants attackers full administrative privileges, compromising confidentiality, integrity, and availability of managed file transfer operations. This can lead to unauthorized data exfiltration, injection of malicious files, disruption of critical file transfer workflows, and potential lateral movement within corporate networks. Organizations handling sensitive data such as financial records, personal data under GDPR, or intellectual property are particularly at risk. The ability to create an admin account without authentication means attackers can maintain persistent access and evade detection. Given the central role of MFT solutions in secure data exchange, exploitation could disrupt business continuity and lead to regulatory penalties. The lack of authentication and user interaction requirements means attacks can be automated and launched at scale, increasing the threat surface. European entities in sectors like finance, healthcare, government, and manufacturing that rely on GoAnywhere MFT are especially vulnerable to operational and reputational damage.

Mitigation Recommendations

1. Immediate upgrade to Fortra GoAnywhere MFT version 7.4.1 or later, where this vulnerability is patched, is the most effective mitigation. 2. If immediate patching is not feasible, restrict network access to the GoAnywhere MFT administrative interface using firewalls or network segmentation to limit exposure to trusted internal IPs only. 3. Monitor web server logs for suspicious access attempts to the paths "/goanywhere/images/..;/wizard/InitialAccountSetup.xhtml" and "/goanywhere/..;/wizard/InitialAccountSetup.xhtml", which indicate exploitation attempts. 4. Implement Web Application Firewall (WAF) rules to detect and block path traversal patterns and unauthorized access to setup wizards. 5. Enforce strong authentication and multi-factor authentication (MFA) on administrative accounts once patched to reduce impact of compromised credentials. 6. Conduct regular audits of administrator accounts and review for any unauthorized accounts created. 7. Employ network intrusion detection systems (NIDS) with signatures for CVE-2024-0204 exploit patterns. 8. Educate IT and security teams about this vulnerability and ensure incident response plans include steps for rapid containment and remediation. 9. Disable or remove any unused or legacy setup wizards or interfaces if possible. 10. Use vulnerability scanning tools to identify any instances of vulnerable GoAnywhere MFT deployments within the organization.

Need more detailed analysis?Get Pro

Technical Details

Edb Id
52308
Has Exploit Code
true
Code Language
python

Indicators of Compromise

Exploit Source Code

Exploit Code

Exploit code for Fortra GoAnywhere MFT 7.4.1 - Authentication Bypass

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# Exploit Title: Fortra GoAnywhere MFT 7.4.1 - Authentication Bypass
# Date: 2025-05-25
# Exploit Author: @ibrahimsql
# Exploit Author's github: https://github.com/ibrahimsql
# Vendor Homepage: https://www.fortra.com/products/secure-file-transfer/goanywhere-mft
# Software Link: https://www.fortra.com/products/secure-file-transfer/goanywhere-mft/free-trial
# Version: < 7.4.1
# Tested on: Kali Linux 2024.1
# CVE: CVE-2024-0204
# Description:
# Fortra 
... (13921 more characters)
Code Length: 14,421 characters

Threat ID: 68489d8b7e6d765d51d52927

Added to database: 6/10/2025, 9:03:07 PM

Last enriched: 6/11/2025, 9:16:03 PM

Last updated: 8/15/2025, 9:32:01 AM

Views: 21

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats