Cyber Resilience

CVE-2024-0204

CriticalPublic PoC

Published: 22 January 2024

Published
22 January 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9305 99.8th percentile
Risk Priority 75 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-0204 is a critical-severity Forced Browsing (CWE-425) vulnerability in Fortra Goanywhere Managed File Transfer. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2024-0204 is an authentication bypass vulnerability in Fortra's GoAnywhere MFT software prior to version 7.4.1. The flaw, assigned CWE-425, resides in the administration portal and permits an unauthenticated remote attacker to directly create an administrative user account without any prior credentials or user interaction.

An attacker with network access to the exposed administration interface can exploit the issue to provision a new admin account, after which they obtain full control over the managed file transfer environment. This results in complete compromise of confidentiality, integrity, and availability, consistent with the CVSS 9.8 rating.

Vendor advisories from Fortra direct customers to upgrade to GoAnywhere MFT 7.4.1 or later; the security advisory FI-2024-001 and the customer portal list the fixed release along with remediation guidance. Public exploit code for both the authentication bypass and subsequent unauthenticated remote code execution has been posted to Packet Storm.

The EPSS score has reached a peak of 0.9336 with a current value of 0.9305, indicating sustained high exploitation interest following disclosure.

EU & UK References

Vulnerability details

Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.

CWE(s)

Related Threats

Threat-Actor AttributionAI

Cl0p
Cl0p ransomware crew mass-exploited the GoAnywhere MFT auth-bypass zero-day in Jan 2024 campaigns (widely reported by Fortra, Mandiant, Unit 42).

Affected Assets

fortra
goanywhere managed file transfer
6.0.0 · 7.0.0 — 7.4.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-425

Forcing a decision on every access request, including direct ones, reduces the exploitability of forced browsing by ensuring no unchecked access paths.

addresses: CWE-425

Forces all accesses through the reference monitor, preventing direct or forced requests that bypass checks.

addresses: CWE-425

Enforcing access for all logical requests prevents unauthorized direct access to protected resources.

addresses: CWE-425

Displaying the notification before further access on public systems prevents direct resource requests from bypassing the required system use terms and consent.

addresses: CWE-425

Decoy endpoints catch forced browsing and direct requests, deflecting attackers from legitimate resources while enabling analysis.

addresses: CWE-425

Blocks unauthorized direct requests or forced browsing by denying input access to non-authorized actors.

References