CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2024-0204

CVSS 9.8v3.1pub. 2024-01-22upd. 2024-11-21

Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.

🤖 AI Analysis
How it works

The vulnerability is classified as CWE-425 (Direct Request / Forced Browsing) and involves the application failing to properly verify user identity before granting access to sensitive administrative portal functions. An unauthenticated attacker can directly invoke the appropriate resource in the administrative portal, bypassing the required login procedure. As a result, it is possible to invoke the function that creates a new user with administrator privileges.

Impact

Attackers gain full administrative control over the GoAnywhere MFT system, which may lead to unauthorized access to transmitted files, modification of system configuration, and further compromise of the organization's infrastructure.

Mitigation & patch

Fortra GoAnywhere MFT must be immediately updated to version 7.4.1 or newer. Detailed information is available in the official Fortra security bulletin (FI-2024-001) at fortra.com/security/advisory/fi-2024-001.

Who is affected

Fortra GoAnywhere MFT versions prior to 7.4.1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Fortra Goanywhere Managed File Transfer

    APP
    Fortra
    6.0.07.0.0 – 7.4.1 (bez)
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2025-10035CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Deserialization i command injection w Fortra GoAnywhere MFT (License Servlet)

CVE-2023-0669HIGH7.2⚠ KEVten sam produkt

Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerabilit...

CVE-2025-14362HIGH7.3ten sam produkt

The login limit is not enforced on the SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User...

CVE-2025-1241MEDIUM5.8ten sam produkt

Encrypted values in Fortra's GoAnywhere MFT prior to version 7.10.0 and GoAnywhere Agents prior to version 2.2...

CVE-2026-0971MEDIUM4.3ten sam produkt

An improper session timeout issue in Fortra's GoAnywhere MFT prior to version 7.10.0 results in SAML configure...