Advisory FI-2024-001

FI-2024-001 - Authentication Bypass in GoAnywhere MFT

Severity Critical
Published Date 22-Jan-2024
Updated Date 22-Jan-2024
Vulnerabilities CVE-2024-0204



Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.




Authentication Bypass in GoAnywhere MFT
Severity Critical
CVE CVE-2024-0204
CWE CWE-425 Direct Request ('Forced Browsing')
Discovery Date 01-Dec-2023
CVSSv3.1 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Product Fortra GoAnywhere MFT 6.x from 6.0.1
Fortra GoAnywhere MFT 7.x before 7.4.1

Vulnerability Notes

Remediation: Vendor Fix

Upgrade to version 7.4.1 or higher. The vulnerability may also be eliminated in non-container deployments by deleting the InitialAccountSetup.xhtml file in the install directory and restarting the services. For container-deployed instances, replace the file with an empty file and restart. For additional information, see (registration required).



Fortra would like to thank the following individuals:

  • Mohammed Eldeeb & Islam Elrfai, Spark Engineering Consultants

Fortra Security and Trust Center