A dangerous zero-day vulnerability has been discovered in Fortra’s GoAnywhere Managed File Transfer (MFT) application and is currently being actively exploited. Security reporter Brian Krebs first made details of the flaw public on Mastodon. However, Fortra has yet to release a public advisory.
Details of the Flaw
The vulnerability is a remote code injection that requires access to the administrative console of the application, making it critical that these systems are not accessible from the public internet. Unfortunately, security researcher Kevin Beaumont has found over 1,000 on-premise instances that are publicly accessible online, with a majority located in the United States.
Response from Security Researchers and Cybersecurity Company
Rapid7 researcher Caitlin Condon advised GoAnywhere MFT customers to review all administrative users and monitor for any unrecognized usernames, especially those created by the system. This may indicate follow-on attacker behavior that includes the creation of new administrative or other users to take over or maintain control of vulnerable target systems.
No Available Patch for the Vulnerability
Alternatively, the vulnerability may also be exploited through the use of weak or reused credentials to obtain administrative access to the console. At this time, no patch is available to fix the zero-day vulnerability, but Fortra has provided workarounds that remove the “License Response Servlet” configuration from the web.xml file.
Growing Threat to File Transfer Solutions
File transfer solutions have become a popular target for threat actors, with flaws in Accellion and FileZen already being weaponized for data theft and extortion. This latest vulnerability in Fortra’s GoAnywhere MFT highlights the importance of regular security checks and updates to prevent similar attacks in the future.