CVE-2024-25157
📋 TL;DR
This authentication bypass vulnerability in GoAnywhere MFT allows Admin Users with Agent Console access to circumvent permission checks and access unauthorized pages. This could lead to unauthorized information disclosure or modification of sensitive data. Only organizations using GoAnywhere MFT versions prior to 7.6.0 with Admin Users having Agent Console access are affected.
💻 Affected Systems
- GoAnywhere MFT
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Admin Users could access and modify sensitive configuration files, user data, or system settings, potentially leading to complete system compromise or data exfiltration.
Likely Case
Admin Users could access unauthorized administrative pages, view sensitive information, or make unauthorized configuration changes within the MFT system.
If Mitigated
With proper access controls and monitoring, impact would be limited to attempted unauthorized access that could be detected and blocked.
🎯 Exploit Status
Exploitation requires authenticated Admin User access to the Agent Console. The vulnerability is in permission validation logic.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.6.0
Vendor Advisory: https://www.fortra.com/security/advisories/product-security/fi-2024-009
Restart Required: Yes
Instructions:
1. Download GoAnywhere MFT version 7.6.0 or later from Fortra support portal. 2. Backup current configuration and data. 3. Stop GoAnywhere MFT services. 4. Install the updated version. 5. Restart services and verify functionality.
🔧 Temporary Workarounds
Restrict Agent Console Access
allTemporarily remove Agent Console access from Admin Users who don't absolutely require it for operations.
Configure through GoAnywhere MFT Admin Console: Users & Groups > Edit User > Permissions > Remove Agent Console access
Implement Network Segmentation
allRestrict network access to GoAnywhere MFT admin interfaces to only authorized management networks.
🧯 If You Can't Patch
- Implement strict access controls and monitor all Admin User activity in GoAnywhere MFT logs
- Enable detailed audit logging and implement SIEM alerts for unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check GoAnywhere MFT version in Admin Console under Help > About. If version is below 7.6.0, system is vulnerable.Check Version:
Check version in GoAnywhere MFT Admin Console or via command line: java -jar goanywhere.jar --versionVerify Fix Applied:
After patching, verify version shows 7.6.0 or higher in Admin Console. Test that Admin Users with Agent Console access cannot access unauthorized pages.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to restricted admin pages
- Admin User accessing pages outside their assigned permissions
- Multiple failed permission validation events
Network Indicators:
- Unusual patterns of admin page access from single Admin Users
- Access to administrative endpoints without proper authorization headers
SIEM Query:
source="goanywhere.log" AND (event_type="PERMISSION_VIOLATION" OR message="*unauthorized*access*")