Security News > 2024 > January > Using GoAnywhere MFT for file transfers? Patch now – an exploit's out for a critical bug

Horizon3's exploit takes advantage of age-old path traversal weaknesses in Tomcat-based applications where requests to vulnerable endpoints that contain /.;/ allow attackers to access forbidden pages, such as the admin account creation page in GoAnywhere MFT. If remote attackers exploit the same path traversal technique when submitting the form to create a new admin user, the account will be created, giving the bad guys admin privileges.

Zach Hanley, chief attack engineer at Horizon3, said the clearest indicator of compromise would be noticing any new additions to the Admin Users group in the GoAnywhere MFT admin portal.

Affected versions of GoAnywhere MFT include 6.x from 6.0.1 and 7.x before 7.4.1, so it's a good idea to upgrade to at least version 7.4.1 in order to keep successful attacks at bay.

According to internet traffic analysis biz Greynoise, there have been no detected exploit attempts thus far - a point Fortra echoed to wider media - but with publicly available proof of concept code now available, it's only a matter of time before exploit attempts start amassing in the near future.

Industry watchers have highlighted the ease with which the vulnerability can be exploited and the potential for ransomware or extortion attacks is also evident given the nature of the vulnerability and the history of attacks on MFT. Infosec news lovers will remember the security disaster Fortra suffered with GoAnywhere MFT last year when cybercrime outfit Clop began exploiting a zero-day to extort more than 130 companies, claiming some high-profile scalps in the process.

Clop's attacks on GoAnywhere MFT began almost a year ago exactly in January 2023, with proof concept code published online a day before Fortra could release its patch in early February.

News URL

https://go.theregister.com/feed/www.theregister.com/2024/01/24/public_exploit_published_within_hours/