Popular file transfer software has a seriously dangerous security bug that gives anyone free administrator rights — so patch it now to avoid another Moveit-like debacle

News
By published

A bug allows threat actors to create a new admin account

Red padlock open on electric circuits network dark red background
(Image credit: Shutterstock/Chor muang)

GoAnywhere Managed File Transfer (MFT), the program at the center of a major data reach scandal around a year ago, may have a new high-severity vulnerability which users should patch immediately to avoid more trouble.

Cybersecurity researchers Mohammed Eldeeb and Islam Elrfai from Spark Engineering Consultants discovered the flaw in December 2023, and disclosed it to GoAnywhere’s developer, Fortra. 

It is described as a path traversal weakness, and tracked as CVE-2024-0204. It has a severity score of 9.8/10, making it critical.

A workaround is available, too

As explained by the researchers, as well as cybersecurity firm Horizon3.ai, which subsequently published a proof-of-concept (PoC) exploit, the vulnerability can be used to create a new administrator user for the tool:

"Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal," a new Fortra advisory reads.

"The easiest indicator of compromise that can be analyzed is for any new additions to the Admin Users group in the GoAnywhere administrator portal Users -> Admin Users section," Horizon3.ai security researcher Zach Hanley said. "If the attacker has left this user here you may be able to observe its last logon activity here to gauge an approximate date of compromise."

Those who are unable to apply the patch at this time can apply a temporary workaround in non-container deployment - delete the InitialAccountSetup.xhtml file in the install directory and then restart the device. For container-deployed instances, Fortra recommends replacing the file with an empty one before restarting. 

There is currently no evidence of the vulnerability being exploited in the wild, but with the news broken, and a PoC available, it’s only a matter of time before unpatched endpoints get targeted. Users should apply the patch immediately and avoid risking the integrity of their data. 

Last year, a vulnerability in GoAnywhere resulted in sensitive data from almost 130 organizations being stolen.

Via TheHackerNews

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A person's fingers type at a keyboard, with a digital security screen with a lock on it overlaid.
Veeam backup software has a serious security flaw - here's how to stay safe
Best free Linux firewalls
Fortinet warns a critical vulnerability in its systems could let attackers breach company networks
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Top file synchronization tool Rsync security flaws mean up to 660,000 servers possibly affected
A person's fingers type at a keyboard, with a digital security screen with a lock on it overlaid.
Apache Foundation urges users to patch now and fix major security worries
Digital image of a lock.
Fortinet flags some worrying security bugs coming back from the dead
A computer being guarded by cybersecurity.
Worrying Windows security issue patched by 7-Zip, so patch now
Latest in Security
ID theft
Hackers claim Orange attack, threaten to leak 1TB of data
A computer file surrounded by red laser beams
Free online file converters could infect your PC with malware, FBI warns
Close up of a person touching an email icon.
Criminals are using CSS to get around filters and track email usage
DeepSeek on a mobile phone
More US government departments ban controversial AI model DeepSeek
Ransomware
Fortinet firewall bugs are being targeted by LockBit ransomware hackers
Trojan
Microsoft warns of a devious new RAT malware which can avoid detection with apparent ease
Latest in News
iPhone 12
The iPhone 17 Air could come with a key charging benefit, new leak claims
Google HEalth AI checkup updates
Google reveals 6 ways it's using AI to improve health care, from crowdsourced advice to personalized cancer treatments
ID theft
Hackers claim Orange attack, threaten to leak 1TB of data
Google Pixel 9 front and back
Leaked Google Pixel 9a promo materials reveal almost everything – and a launch could be just hours away
Volvo Gaussian Splatting
Volvo is using AI-generated worlds to make its cars safer and it’s all thanks to something called Gaussian splatting
Image of Asus ROG Ally running Bazzite/SteamOS
This SteamOS update promises a new future for non-Steam Deck handheld PCs – and I can’t wait
More about security
ID theft

Hackers claim Orange attack, threaten to leak 1TB of data
A computer file surrounded by red laser beams

Free online file converters could infect your PC with malware, FBI warns
Google Pixel 9 front and back

Leaked Google Pixel 9a promo materials reveal almost everything – and a launch could be just hours away
See more latest
Most Popular
Google Pixel 9 front and back
Leaked Google Pixel 9a promo materials reveal almost everything – and a launch could be just hours away
iPhone 12
The iPhone 17 Air could come with a key charging benefit, new leak claims
Google HEalth AI checkup updates
Google reveals 6 ways it's using AI to improve health care, from crowdsourced advice to personalized cancer treatments
ID theft
Hackers claim Orange attack, threaten to leak 1TB of data
Image of Asus ROG Ally running Bazzite/SteamOS
This SteamOS update promises a new future for non-Steam Deck handheld PCs – and I can’t wait
Volvo Gaussian Splatting
Volvo is using AI-generated worlds to make its cars safer and it’s all thanks to something called Gaussian splatting
A computer file surrounded by red laser beams
Free online file converters could infect your PC with malware, FBI warns
Nvidia GR00T N1 humanoid robot
Nvidia is dreaming of trillion-dollar datacentres with millions of GPUs and I can't wait to live in the Omniverse
Pedro Pascal in Apple's Someday ad promoting the AirPods 4 with Active Noise Cancellation.
Pedro Pascal cures his heartbreak thanks to AirPods 4 (and the power of dance) in this new ad
Nvidia Earth-2 weather models
Nvidia has updated its virtual recreation of the entire planet - and it could mean better weather forecasts for everyone