Security News > 2024 > January > Fortra warns of new critical GoAnywhere MFT auth bypass, patch now
Fortra is warning of a new authentication bypass vulnerability impacting GoAnywhere MFT versions before 7.4.1 that allows an attacker to create a new admin user.
GoAnywhere MFT is used by organizations worldwide to secure transfer files with customers and business partners.
The flaw impacts Fortra GoAnywhere MFT 6.x from 6.0.1 and Fortra GoAnywhere MFT 7.4.0 and earlier and was fixed in GoAnywhere MFT 7.4.1, released on December 7, 2023.
Fortra has not clarified if the vulnerability is actively exploited or not.
In early 2023, it was revealed that the Clop ransomware gang had breached 130 companies and organizations by leveraging a critical remote code execution flaw in GoAnywhere MFT. The flaw is tracked as CVE-2023-0669 and had been exploited as a zero-day vulnerability since January 18, 2023.
Considering the above, organizations using Fortra GoAnywhere MFT should apply the available security updates and recommended mitigations as soon as possible and scrutinize their logs for suspicious activity.
News URL
Related news
- Juniper patches critical auth bypass in Session Smart routers (source)
- Moxa Issues Fix for Critical Authentication Bypass Vulnerability in PT Switches (source)
- Choose your own Patch Tuesday adventure: Start with six zero day fixes, or six critical flaws (source)
- GitLab patches critical authentication bypass vulnerabilities (source)
- Critical Veeam Backup & Replication RCE vulnerability fixed, patch ASAP! (CVE-2025-23120) (source)
- Critical Next.js Vulnerability Allows Attackers to Bypass Middleware Authorization Checks (source)
- Critical Next.js auth bypass vulnerability opens web apps to compromise (CVE-2025-29927) (source)
- Critical flaw in Next.js lets hackers bypass authorization (source)
- CrushFTP: Patch critical vulnerability ASAP! (CVE-2025-2825) (source)
- Critical auth bypass bug in CrushFTP now exploited in attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-02-06 | CVE-2023-0669 | Deserialization of Untrusted Data vulnerability in Fortra Goanywhere Managed File Transfer Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. | 7.2 |