CVE-2024-0204 Detection: Critical Vulnerability in Fortra GoAnywhere MFT Resulting in Authentication Bypass

Another day, another critical vulnerability on the radar. This time, it’s a critical authentication bypass (CVE-2024-0204) affecting Fortra’s GoAnywhere MFT software, which is largely used by enterprises globally for secure file transfer purposes. Hot on the heels of the nefarious flaw in Atlassian’s Confluence Server and Data Center, CVE-2024-0204 might be promptly added to the adversary toolkit helping hackers to create a new admin user remotely via the product’s administration portal. 

Detect CVE-2024-0204 Exploitation Attempts

Proactive detection of vulnerability exploitation remains one of the top cybersecurity use cases in 2024. To stay on top of emerging CVEs and identify possible cyber attacks against your infrastructure on time, rely on SOC Prime’s Platform for collective cyber defense. Our Threat Detection Marketplace acting as the the world’s largest repository of behavior-based detection algorithms, aggregates a new rule aimed at CVE-2024-0204 exploit detection.

Possible CVE-2024-0204 (Fortra GoAnywhere MFT Authentication Bypass) Exploitation Attempt (via webserver)

The detection is compatible with 18 SIEM, EDR, XDR, and Data Lake solutions and mapped to MITRE ATT&CK v14 addressing Initial Access tactics and Exploit Public-Facing Applications (T1190) as a main technique. Also, to smooth threat investigation, the rule is enriched with extensive metadata, including CTI links, ATT&CK references, and other relevant details.

To explore the entire collection of curated detection rules addressing vulnerability exploitation, hit the Explore Detections button below. 

Explore Detections

SOC Prime Platform makes it easy to discover and analyze adversary TTPs, find blind spots in log source coverage, address existing gaps, prioritize detection procedures, and share the TTP context with peers in 45 major SIEM, EDR, and Data Lake detection languages.

CVE-2024-0204 Analysis

Over a hundred global organizations rely on Fortra GoAnywhere MFT as a software solution for managed file transfer, simplifying data exchange among systems, employees, and customers, which exposes these businesses to severe risks in the case of identified security risks, like vulnerability exploitation attempts. Fortra has recently notified defenders of a newly uncovered authentication bypass vulnerability tracked as CVE-2024-0204 affecting its GoAnywhere MFT software versions before 7.4.1. The critical flaw has a CVSS rating of 9.8 and enables attackers to generate a new admin user through the administration portal. 

Establishing unauthorized accounts with admin privileges poses a significant risk of a complete system takeover. If exploited in GoAnywhere MFT, this could give attackers the green light to access sensitive data, facilitate malware deployment, and potentially launch further attacks within the compromised network.

As potential CVE-2024-0204 mitigation measures, Fortra recommends upgrading to software version 7.4.1 or a later one. In non-container deployments, the security bug can be addressed by removing the “InitialAccountSetup.xhtml” file from the installation directory and restarting the services. For instances deployed in containers, the file should be replaced with an empty file, followed by a system restart. 

With the exponential rise in volumes of CVEs and zero-days affecting popular software products, proactive detection of vulnerability exploitation ranks as one of the leading positions among SOC content needs. With Uncoder AI, teams can streamline their Detection Engineering routine by writing detection code against emerging threats faster and smarter using automated rule templates, MITRE ATT&CK autocompletion capabilities, instant rule logic & syntax checks, as well as translate pieces of content into 65 language formats of multiple SIEM, EDR, and Data Lake technologies on the fly.