{"id":55185,"date":"2024-01-24T14:53:53","date_gmt":"2024-01-24T14:53:53","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/35433\/CVE-2024-0204-Fortra-GoAnywhere-MFT-Authentication-Bypass-Deep-Dive.html"},"modified":"2024-01-24T14:53:53","modified_gmt":"2024-01-24T14:53:53","slug":"cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive\/","title":{"rendered":"CVE-2024-0204: Fortra GoAnywhere MFT Authentication Bypass Deep-Dive"},"content":{"rendered":"<div readability=\"25.6\">\n<div class=\"et_pb_title_featured_container\"><span class=\"et_pb_image_wrap\"><\/span><\/div>\n<\/p><\/div>\n<div readability=\"116.0124596216\">\n<p>On January 22, 2024 Fortra posted a <a href=\"https:\/\/www.fortra.com\/security\/advisory\/fi-2024-001\" data-wpel-link=\"external\" rel=\"noopener noreferrer\">security advisory<\/a> for their GoAnywhere MFT product. This advisory details an authentication bypass vulnerability, CVE-2024-0204, that allows an unauthenticated attacker to create an administrative user for the application. Customers were made aware of the issue by an internal security advisory post and patch made available on December 4, 2023, in which researchers <a href=\"https:\/\/twitter.com\/malcolmx0x\" data-wpel-link=\"external\" rel=\"noopener noreferrer\">malcolm0x<\/a> and <a href=\"https:\/\/twitter.com\/IslamRalsaid1\" data-wpel-link=\"external\" rel=\"noopener noreferrer\">Islam Elrfai<\/a> were originally credited with the discovery. In 2023, file transfer applications were a <a href=\"https:\/\/www.horizon3.ai\/moveit-transfer-cve-2023-34362-deep-dive-and-indicators-of-compromise\/\" data-wpel-link=\"internal\">top target<\/a> by threat actors. Our POC can be found <a href=\"https:\/\/github.com\/horizon3ai\/CVE-2024-0204\" data-wpel-link=\"external\" rel=\"noopener noreferrer\">here<\/a>.<\/p>\n<h3>Finding The Differences<\/h3>\n<p>The advisory mentions that the endpoint <code>\/InitialAccountSetup.xhtml<\/code> can be deleted and the service restarted to mitigate the issue. Looking through the application directories, we find that this endpoint is mapped to the&nbsp; <code>com.linoma.ga.ui.admin.users.InitialAccountSetupForm<\/code> class&nbsp; by inspecting the file <code>GoAnywhere\/adminroot\/WEB-INF\/forms-faces.xml<\/code>.<\/p>\n<p><a href=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.03.34\u202fPM.png\" data-wpel-link=\"external\" rel=\"noopener noreferrer\"><picture decoding=\"async\" class=\"aligncenter size-full wp-image-242852\"><source type=\"image\/webp\" data-lazy-srcset=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.03.34\u202fPM.png.webp 842w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.03.34\u202fPM-300x35.png.webp 300w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.03.34\u202fPM-768x89.png.webp 768w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.03.34\u202fPM-480x56.png.webp 480w\" srcset=\"data:image\/svg+xml,%3Csvg%20xmlns='http:\/\/www.w3.org\/2000\/svg'%20viewBox='0%200%20842%2098'%3E%3C\/svg%3E\" data-lazy-sizes=\"(max-width: 842px) 100vw, 842px\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.03.34\u202fPM.png\" alt width=\"842\" height=\"98\" data-lazy-srcset=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.03.34\u202fPM.png 842w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.03.34\u202fPM-300x35.png 300w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.03.34\u202fPM-768x89.png 768w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.03.34\u202fPM-480x56.png 480w\" data-lazy-sizes=\"(max-width: 842px) 100vw, 842px\">\n<\/picture>\n<\/a><\/p>\n<p><noscript><picture decoding=\"async\" class=\"aligncenter size-full wp-image-242852\"><source type=\"image\/webp\" srcset=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.03.34\u202fPM.png.webp 842w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.03.34\u202fPM-300x35.png.webp 300w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.03.34\u202fPM-768x89.png.webp 768w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.03.34\u202fPM-480x56.png.webp 480w\" sizes=\"(max-width: 842px) 100vw, 842px\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.03.34\u202fPM.png\" alt width=\"842\" height=\"98\" srcset=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.03.34\u202fPM.png 842w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.03.34\u202fPM-300x35.png 300w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.03.34\u202fPM-768x89.png 768w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.03.34\u202fPM-480x56.png 480w\" sizes=\"auto, (max-width: 842px) 100vw, 842px\">\n<\/picture>\n<\/noscript>Figure 1. Endpoint to Class Mapping<\/p>\n<p>Using advanced tooling, we find that the <code>GoAnywhere\/lib\/gamft-7.4.0.jar<\/code> project defines that class.<\/p>\n<p><a href=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.11.13\u202fPM.png\" data-wpel-link=\"external\" rel=\"noopener noreferrer\"><picture decoding=\"async\" class=\"aligncenter wp-image-242853\"><source type=\"image\/webp\" data-lazy-srcset=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.11.13\u202fPM.png.webp 853w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.11.13\u202fPM-300x91.png.webp 300w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.11.13\u202fPM-768x233.png.webp 768w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.11.13\u202fPM-480x146.png.webp 480w\" srcset=\"data:image\/svg+xml,%3Csvg%20xmlns='http:\/\/www.w3.org\/2000\/svg'%20viewBox='0%200%20600%20182'%3E%3C\/svg%3E\" data-lazy-sizes=\"(max-width: 600px) 100vw, 600px\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.11.13\u202fPM.png\" alt width=\"600\" height=\"182\" data-lazy-srcset=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.11.13\u202fPM.png 853w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.11.13\u202fPM-300x91.png 300w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.11.13\u202fPM-768x233.png 768w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.11.13\u202fPM-480x146.png 480w\" data-lazy-sizes=\"(max-width: 600px) 100vw, 600px\">\n<\/picture>\n<\/a><\/p>\n<p><noscript><picture decoding=\"async\" class=\"aligncenter wp-image-242853\"><source type=\"image\/webp\" srcset=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.11.13\u202fPM.png.webp 853w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.11.13\u202fPM-300x91.png.webp 300w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.11.13\u202fPM-768x233.png.webp 768w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.11.13\u202fPM-480x146.png.webp 480w\" sizes=\"(max-width: 600px) 100vw, 600px\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.11.13\u202fPM.png\" alt width=\"600\" height=\"182\" srcset=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.11.13\u202fPM.png 853w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.11.13\u202fPM-300x91.png 300w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.11.13\u202fPM-768x233.png 768w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.11.13\u202fPM-480x146.png 480w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\">\n<\/picture>\n<\/noscript>Figure 2. Finding the InitialAccountSetupForm class<\/p>\n<p>Comparing the jar\u2019s for gamft between 7.4.0 and 7.4.1 reveals that several additional checks were added to the initializer for the InitialAccountSetupForm class.<\/p>\n<div id=\"attachment_242863\" class=\"wp-caption aligncenter\" readability=\"32\"><a href=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.26.37\u202fPM.png\" data-wpel-link=\"external\" rel=\"noopener noreferrer\"><picture decoding=\"async\" aria-describedby=\"caption-attachment-242863\" class=\"wp-image-242863 size-full\"><source type=\"image\/webp\" data-lazy-srcset=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.26.37\u202fPM.png.webp 2880w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.26.37\u202fPM-300x165.png.webp 300w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.26.37\u202fPM-1024x565.png.webp 1024w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.26.37\u202fPM-768x424.png.webp 768w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.26.37\u202fPM-1536x847.png.webp 1536w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.26.37\u202fPM-2048x1130.png.webp 2048w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.26.37\u202fPM-1080x596.png.webp 1080w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.26.37\u202fPM-1280x706.png.webp 1280w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.26.37\u202fPM-980x541.png.webp 980w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.26.37\u202fPM-480x265.png.webp 480w\" srcset=\"data:image\/svg+xml,%3Csvg%20xmlns='http:\/\/www.w3.org\/2000\/svg'%20viewBox='0%200%202880%201588'%3E%3C\/svg%3E\" data-lazy-sizes=\"(max-width: 2880px) 100vw, 2880px\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-242863\" src=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.26.37\u202fPM.png\" alt=\"InitialAccountSetupForm.java\" width=\"2880\" height=\"1588\" data-lazy-srcset=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.26.37\u202fPM.png 2880w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.26.37\u202fPM-300x165.png 300w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.26.37\u202fPM-1024x565.png 1024w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.26.37\u202fPM-768x424.png 768w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.26.37\u202fPM-1536x847.png 1536w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.26.37\u202fPM-2048x1130.png 2048w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.26.37\u202fPM-1080x596.png 1080w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.26.37\u202fPM-1280x706.png 1280w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.26.37\u202fPM-980x541.png 980w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.26.37\u202fPM-480x265.png 480w\" data-lazy-sizes=\"(max-width: 2880px) 100vw, 2880px\">\n<\/picture>\n<noscript><picture decoding=\"async\" aria-describedby=\"caption-attachment-242863\" class=\"wp-image-242863 size-full\"><source type=\"image\/webp\" srcset=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.26.37\u202fPM.png.webp 2880w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.26.37\u202fPM-300x165.png.webp 300w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.26.37\u202fPM-1024x565.png.webp 1024w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.26.37\u202fPM-768x424.png.webp 768w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.26.37\u202fPM-1536x847.png.webp 1536w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.26.37\u202fPM-2048x1130.png.webp 2048w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.26.37\u202fPM-1080x596.png.webp 1080w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.26.37\u202fPM-1280x706.png.webp 1280w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.26.37\u202fPM-980x541.png.webp 980w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.26.37\u202fPM-480x265.png.webp 480w\" sizes=\"(max-width: 2880px) 100vw, 2880px\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-242863\" src=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.26.37\u202fPM.png\" alt=\"InitialAccountSetupForm.java\" width=\"2880\" height=\"1588\" srcset=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.26.37\u202fPM.png 2880w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.26.37\u202fPM-300x165.png 300w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.26.37\u202fPM-1024x565.png 1024w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.26.37\u202fPM-768x424.png 768w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.26.37\u202fPM-1536x847.png 1536w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.26.37\u202fPM-2048x1130.png 2048w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.26.37\u202fPM-1080x596.png 1080w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.26.37\u202fPM-1280x706.png 1280w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.26.37\u202fPM-980x541.png 980w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.26.37\u202fPM-480x265.png 480w\" sizes=\"auto, (max-width: 2880px) 100vw, 2880px\">\n<\/picture>\n<\/noscript><\/a><\/p>\n<p id=\"caption-attachment-242863\" class=\"wp-caption-text\">InitialAccountSetupForm.java<\/p>\n<\/div>\n<p>When installing GoAnywhere, the application will first direct users to this endpoint to set up a new administrative user.<\/p>\n<p><a href=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.23.11\u202fPM.png\" data-wpel-link=\"external\" rel=\"noopener noreferrer\"><picture decoding=\"async\" class=\"aligncenter wp-image-242854\"><source type=\"image\/webp\" data-lazy-srcset=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.23.11\u202fPM.png.webp 522w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.23.11\u202fPM-300x297.png.webp 300w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.23.11\u202fPM-150x150.png.webp 150w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.23.11\u202fPM-480x475.png.webp 480w\" srcset=\"data:image\/svg+xml,%3Csvg%20xmlns='http:\/\/www.w3.org\/2000\/svg'%20viewBox='0%200%20341%20338'%3E%3C\/svg%3E\" data-lazy-sizes=\"(max-width: 341px) 100vw, 341px\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.23.11\u202fPM.png\" alt width=\"341\" height=\"338\" data-lazy-srcset=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.23.11\u202fPM.png 522w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.23.11\u202fPM-300x297.png 300w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.23.11\u202fPM-150x150.png 150w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.23.11\u202fPM-480x475.png 480w\" data-lazy-sizes=\"(max-width: 341px) 100vw, 341px\">\n<\/picture>\n<\/a><\/p>\n<p><noscript><picture decoding=\"async\" class=\"aligncenter wp-image-242854\"><source type=\"image\/webp\" srcset=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.23.11\u202fPM.png.webp 522w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.23.11\u202fPM-300x297.png.webp 300w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.23.11\u202fPM-150x150.png.webp 150w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.23.11\u202fPM-480x475.png.webp 480w\" sizes=\"(max-width: 341px) 100vw, 341px\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.23.11\u202fPM.png\" alt width=\"341\" height=\"338\" srcset=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.23.11\u202fPM.png 522w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.23.11\u202fPM-300x297.png 300w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.23.11\u202fPM-150x150.png 150w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.23.11\u202fPM-480x475.png 480w\" sizes=\"auto, (max-width: 341px) 100vw, 341px\">\n<\/picture>\n<\/noscript>Figure 3. Add Administrative User During Install<\/p>\n<p>After install, requesting the supposed vulnerable endpoint directly did not allow us access to the same page and instead redirects the user to the <code>\/Dashboard.xhtml<\/code> endpoint and finally to <code>\/auth\/Login.xhtml<\/code> because the user is not authenticated.<\/p>\n<p>Finding this behavior in the application leads us to the <code>com.linoma.dpa.security.SecurityFilter<\/code> class. This class is called on all requests and performs the <code>doFilter()<\/code> function, which performs checks for which endpoints are requested and based on the endpoints, user context, and application settings will allow the request to be routed to the correct endpoint.<\/p>\n<p><a href=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-11.52.58\u202fAM.png\" data-wpel-link=\"external\" rel=\"noopener noreferrer\"><picture decoding=\"async\" class=\"aligncenter size-full wp-image-242855\"><source type=\"image\/webp\" data-lazy-srcset=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-11.52.58\u202fAM.png.webp 1087w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-11.52.58\u202fAM-300x76.png.webp 300w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-11.52.58\u202fAM-1024x260.png.webp 1024w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-11.52.58\u202fAM-768x195.png.webp 768w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-11.52.58\u202fAM-1080x274.png.webp 1080w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-11.52.58\u202fAM-980x249.png.webp 980w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-11.52.58\u202fAM-480x122.png.webp 480w\" srcset=\"data:image\/svg+xml,%3Csvg%20xmlns='http:\/\/www.w3.org\/2000\/svg'%20viewBox='0%200%201087%20276'%3E%3C\/svg%3E\" data-lazy-sizes=\"(max-width: 1087px) 100vw, 1087px\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-11.52.58\u202fAM.png\" alt width=\"1087\" height=\"276\" data-lazy-srcset=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-11.52.58\u202fAM.png 1087w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-11.52.58\u202fAM-300x76.png 300w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-11.52.58\u202fAM-1024x260.png 1024w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-11.52.58\u202fAM-768x195.png 768w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-11.52.58\u202fAM-1080x274.png 1080w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-11.52.58\u202fAM-980x249.png 980w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-11.52.58\u202fAM-480x122.png 480w\" data-lazy-sizes=\"(max-width: 1087px) 100vw, 1087px\">\n<\/picture>\n<\/a><\/p>\n<p><noscript><picture decoding=\"async\" class=\"aligncenter size-full wp-image-242855\"><source type=\"image\/webp\" srcset=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-11.52.58\u202fAM.png.webp 1087w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-11.52.58\u202fAM-300x76.png.webp 300w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-11.52.58\u202fAM-1024x260.png.webp 1024w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-11.52.58\u202fAM-768x195.png.webp 768w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-11.52.58\u202fAM-1080x274.png.webp 1080w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-11.52.58\u202fAM-980x249.png.webp 980w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-11.52.58\u202fAM-480x122.png.webp 480w\" sizes=\"(max-width: 1087px) 100vw, 1087px\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-11.52.58\u202fAM.png\" alt width=\"1087\" height=\"276\" srcset=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-11.52.58\u202fAM.png 1087w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-11.52.58\u202fAM-300x76.png 300w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-11.52.58\u202fAM-1024x260.png 1024w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-11.52.58\u202fAM-768x195.png 768w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-11.52.58\u202fAM-1080x274.png 1080w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-11.52.58\u202fAM-980x249.png 980w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-11.52.58\u202fAM-480x122.png 480w\" sizes=\"auto, (max-width: 1087px) 100vw, 1087px\">\n<\/picture>\n<\/noscript>Figure 4. SecurityFilter class<\/p>\n<p>Inspecting the SecurityFilter class more closely, we find that there are a couple explicit areas that deal with requesting the <code>\/InitialAccountSetup.xhtml<\/code> endpoint mentioned in the advisory.<\/p>\n<ol>\n<li>On line 91, if there is no admin user created already and the path is not <code>\/wizard\/InitialAccountSetup.xhtml<\/code> then it will properly route you to this setup page.<\/li>\n<li>On line 102, if there is an admin user created already and the path is <code>\/wizard\/InitialAccountSetup.xhtml<\/code> then redirect to <code>\/Dashboard.xhtml<\/code>.<\/li>\n<\/ol>\n<p><a href=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.29.52\u202fPM-1.png\" data-wpel-link=\"external\" rel=\"noopener noreferrer\"><picture decoding=\"async\" class=\"aligncenter wp-image-242857\"><source type=\"image\/webp\" data-lazy-srcset=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.29.52\u202fPM-1.png.webp 975w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.29.52\u202fPM-1-300x205.png.webp 300w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.29.52\u202fPM-1-768x525.png.webp 768w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.29.52\u202fPM-1-480x328.png.webp 480w\" srcset=\"data:image\/svg+xml,%3Csvg%20xmlns='http:\/\/www.w3.org\/2000\/svg'%20viewBox='0%200%20571%20391'%3E%3C\/svg%3E\" data-lazy-sizes=\"(max-width: 571px) 100vw, 571px\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.29.52\u202fPM-1.png\" alt width=\"571\" height=\"391\" data-lazy-srcset=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.29.52\u202fPM-1.png 975w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.29.52\u202fPM-1-300x205.png 300w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.29.52\u202fPM-1-768x525.png 768w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.29.52\u202fPM-1-480x328.png 480w\" data-lazy-sizes=\"(max-width: 571px) 100vw, 571px\">\n<\/picture>\n<\/a><\/p>\n<p><noscript><picture decoding=\"async\" class=\"aligncenter wp-image-242857\"><source type=\"image\/webp\" srcset=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.29.52\u202fPM-1.png.webp 975w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.29.52\u202fPM-1-300x205.png.webp 300w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.29.52\u202fPM-1-768x525.png.webp 768w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.29.52\u202fPM-1-480x328.png.webp 480w\" sizes=\"(max-width: 571px) 100vw, 571px\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.29.52\u202fPM-1.png\" alt width=\"571\" height=\"391\" srcset=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.29.52\u202fPM-1.png 975w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.29.52\u202fPM-1-300x205.png 300w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.29.52\u202fPM-1-768x525.png 768w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.29.52\u202fPM-1-480x328.png 480w\" sizes=\"auto, (max-width: 571px) 100vw, 571px\">\n<\/picture>\n<\/noscript>Figure 5. InitialAccountSetup logic<\/p>\n<p>We considered the patches we observed and this logic, and without a way to pass the <code>isAdminUserCreated<\/code> check we were unsure exactly how this bypass could occur. Instead of using logic, and instead using our spidey senses, we considered if possibly there was a path normalization issue. Classically for Tomcat based applications, there exist path traversal issues when the request contains <code>\/..;\/<\/code>. Trying to request the supposed vulnerable endpoint now with a request that looks like <code>https:\/\/192.168.1.1:8001\/goanywhere\/images\/..;\/wizard\/InitialAccountSetup.xhtml<\/code> leads to the application now routing us to the setup page again!<\/p>\n<p><a href=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.43.38\u202fPM.png\" data-wpel-link=\"external\" rel=\"noopener noreferrer\"><picture decoding=\"async\" class=\"aligncenter wp-image-242858\"><source type=\"image\/webp\" data-lazy-srcset=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.43.38\u202fPM.png.webp 770w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.43.38\u202fPM-300x252.png.webp 300w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.43.38\u202fPM-768x645.png.webp 768w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.43.38\u202fPM-480x403.png.webp 480w\" srcset=\"data:image\/svg+xml,%3Csvg%20xmlns='http:\/\/www.w3.org\/2000\/svg'%20viewBox='0%200%20456%20383'%3E%3C\/svg%3E\" data-lazy-sizes=\"(max-width: 456px) 100vw, 456px\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.43.38\u202fPM.png\" alt width=\"456\" height=\"383\" data-lazy-srcset=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.43.38\u202fPM.png 770w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.43.38\u202fPM-300x252.png 300w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.43.38\u202fPM-768x645.png 768w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.43.38\u202fPM-480x403.png 480w\" data-lazy-sizes=\"(max-width: 456px) 100vw, 456px\">\n<\/picture>\n<\/a><\/p>\n<p><noscript><picture decoding=\"async\" class=\"aligncenter wp-image-242858\"><source type=\"image\/webp\" srcset=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.43.38\u202fPM.png.webp 770w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.43.38\u202fPM-300x252.png.webp 300w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.43.38\u202fPM-768x645.png.webp 768w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.43.38\u202fPM-480x403.png.webp 480w\" sizes=\"(max-width: 456px) 100vw, 456px\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.43.38\u202fPM.png\" alt width=\"456\" height=\"383\" srcset=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.43.38\u202fPM.png 770w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.43.38\u202fPM-300x252.png 300w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.43.38\u202fPM-768x645.png 768w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-2.43.38\u202fPM-480x403.png 480w\" sizes=\"auto, (max-width: 456px) 100vw, 456px\">\n<\/picture>\n<\/noscript>Figure 6. Bypassing doFilter() with \/..;\/<\/p>\n<p>Submitting this form again, while also being careful to re-write the form submission request to include the path traversal, we find that a new administrative user has been created.<\/p>\n<p><a href=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-1.39.09\u202fPM.png\" data-wpel-link=\"external\" rel=\"noopener noreferrer\"><picture decoding=\"async\" class=\"aligncenter wp-image-242859\"><source type=\"image\/webp\" data-lazy-srcset=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-1.39.09\u202fPM.png.webp 621w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-1.39.09\u202fPM-300x215.png.webp 300w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-1.39.09\u202fPM-480x344.png.webp 480w\" srcset=\"data:image\/svg+xml,%3Csvg%20xmlns='http:\/\/www.w3.org\/2000\/svg'%20viewBox='0%200%20370%20265'%3E%3C\/svg%3E\" data-lazy-sizes=\"(max-width: 370px) 100vw, 370px\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-1.39.09\u202fPM.png\" alt width=\"370\" height=\"265\" data-lazy-srcset=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-1.39.09\u202fPM.png 621w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-1.39.09\u202fPM-300x215.png 300w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-1.39.09\u202fPM-480x344.png 480w\" data-lazy-sizes=\"(max-width: 370px) 100vw, 370px\">\n<\/picture>\n<\/a><\/p>\n<p><noscript><picture decoding=\"async\" class=\"aligncenter wp-image-242859\"><source type=\"image\/webp\" srcset=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-1.39.09\u202fPM.png.webp 621w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-1.39.09\u202fPM-300x215.png.webp 300w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-1.39.09\u202fPM-480x344.png.webp 480w\" sizes=\"(max-width: 370px) 100vw, 370px\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-1.39.09\u202fPM.png\" alt width=\"370\" height=\"265\" srcset=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-1.39.09\u202fPM.png 621w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-1.39.09\u202fPM-300x215.png 300w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-1.39.09\u202fPM-480x344.png 480w\" sizes=\"auto, (max-width: 370px) 100vw, 370px\">\n<\/picture>\n<\/noscript>Figure 7. Administrative User Added<\/p>\n<p>Our proof-of-concept exploit that adds an administrative user can be found on our GitHub.<\/p>\n<h3>Indicators of Compromise<\/h3>\n<p>The easiest indicator of compromise that can be analyzed is for any new additions to the <code>Admin Users<\/code> group in the GoAnywhere administrator portal Users -&gt; Admin Users section. If the attacker has left this user here you may be able to observe its last logon activity here to gauge an approximate date of compromise.<\/p>\n<p>Additionally, logs for the database are stored at <code>\\GoAnywhere\\userdata\\database\\goanywhere\\log\\*.log<\/code>. These files contain transactional history of the database, for which adding users will create entries.<\/p>\n<p><a href=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.08.21\u202fPM.png\" data-wpel-link=\"external\" rel=\"noopener noreferrer\"><picture decoding=\"async\" class=\"aligncenter wp-image-242860\"><source type=\"image\/webp\" data-lazy-srcset=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.08.21\u202fPM.png.webp 1150w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.08.21\u202fPM-300x18.png.webp 300w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.08.21\u202fPM-1024x61.png.webp 1024w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.08.21\u202fPM-768x46.png.webp 768w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.08.21\u202fPM-1080x65.png.webp 1080w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.08.21\u202fPM-980x59.png.webp 980w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.08.21\u202fPM-480x29.png.webp 480w\" srcset=\"data:image\/svg+xml,%3Csvg%20xmlns='http:\/\/www.w3.org\/2000\/svg'%20viewBox='0%200%20643%2039'%3E%3C\/svg%3E\" data-lazy-sizes=\"(max-width: 643px) 100vw, 643px\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.08.21\u202fPM.png\" alt width=\"643\" height=\"39\" data-lazy-srcset=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.08.21\u202fPM.png 1150w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.08.21\u202fPM-300x18.png 300w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.08.21\u202fPM-1024x61.png 1024w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.08.21\u202fPM-768x46.png 768w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.08.21\u202fPM-1080x65.png 1080w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.08.21\u202fPM-980x59.png 980w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.08.21\u202fPM-480x29.png 480w\" data-lazy-sizes=\"(max-width: 643px) 100vw, 643px\">\n<\/picture>\n<\/a><\/p>\n<p><noscript><picture decoding=\"async\" class=\"aligncenter wp-image-242860\"><source type=\"image\/webp\" srcset=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.08.21\u202fPM.png.webp 1150w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.08.21\u202fPM-300x18.png.webp 300w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.08.21\u202fPM-1024x61.png.webp 1024w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.08.21\u202fPM-768x46.png.webp 768w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.08.21\u202fPM-1080x65.png.webp 1080w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.08.21\u202fPM-980x59.png.webp 980w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.08.21\u202fPM-480x29.png.webp 480w\" sizes=\"(max-width: 643px) 100vw, 643px\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.08.21\u202fPM.png\" alt width=\"643\" height=\"39\" srcset=\"https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.08.21\u202fPM.png 1150w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.08.21\u202fPM-300x18.png 300w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.08.21\u202fPM-1024x61.png 1024w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.08.21\u202fPM-768x46.png 768w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.08.21\u202fPM-1080x65.png 1080w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.08.21\u202fPM-980x59.png 980w, https:\/\/p7i3u3x3.rocketcdn.me\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-23-at-3.08.21\u202fPM-480x29.png 480w\" sizes=\"auto, (max-width: 643px) 100vw, 643px\">\n<\/picture>\n<\/noscript>Figure 8. Indicator of User Additions in Database Logs<\/p>\n<div class=\"blog-end-callout\">\n<h5>Sign up for a free trial and quickly verify you\u2019re not exploitable.<\/h5>\n<p><a class=\"et_pb_button\" href=\"https:\/\/portal.horizon3ai.com\" target=\"_blank\" rel=\"noopener noreferrer\" data-wpel-link=\"external\">Start Your Free Trial<\/a><\/p>\n<\/div><\/div>\n<p>READ MORE <a href=\"https:\/\/packetstormsecurity.com\/news\/view\/35433\/CVE-2024-0204-Fortra-GoAnywhere-MFT-Authentication-Bypass-Deep-Dive.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":55186,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[60],"tags":[968],"class_list":["post-55185","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-packet-storm","tag-headlineflaw"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>CVE-2024-0204: Fortra GoAnywhere MFT Authentication Bypass Deep-Dive 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"CVE-2024-0204: Fortra GoAnywhere MFT Authentication Bypass Deep-Dive 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2024-01-24T14:53:53+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"432\" \/>\n\t<meta property=\"og:image:height\" content=\"435\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"CVE-2024-0204: Fortra GoAnywhere MFT Authentication Bypass Deep-Dive\",\"datePublished\":\"2024-01-24T14:53:53+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive\\\/\"},\"wordCount\":606,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/01\\\/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive.png\",\"keywords\":[\"headline,flaw\"],\"articleSection\":[\"Packet Storm\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive\\\/\",\"name\":\"CVE-2024-0204: Fortra GoAnywhere MFT Authentication Bypass Deep-Dive 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/01\\\/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive.png\",\"datePublished\":\"2024-01-24T14:53:53+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/01\\\/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/01\\\/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive.png\",\"width\":842,\"height\":98},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"headline,flaw\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/headlineflaw\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"CVE-2024-0204: Fortra GoAnywhere MFT Authentication Bypass Deep-Dive\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"CVE-2024-0204: Fortra GoAnywhere MFT Authentication Bypass Deep-Dive 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive\/","og_locale":"en_US","og_type":"article","og_title":"CVE-2024-0204: Fortra GoAnywhere MFT Authentication Bypass Deep-Dive 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2024-01-24T14:53:53+00:00","og_image":[{"width":432,"height":435,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","type":"image\/jpeg"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"CVE-2024-0204: Fortra GoAnywhere MFT Authentication Bypass Deep-Dive","datePublished":"2024-01-24T14:53:53+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive\/"},"wordCount":606,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/01\/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive.png","keywords":["headline,flaw"],"articleSection":["Packet Storm"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive\/","url":"https:\/\/www.threatshub.org\/blog\/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive\/","name":"CVE-2024-0204: Fortra GoAnywhere MFT Authentication Bypass Deep-Dive 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/01\/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive.png","datePublished":"2024-01-24T14:53:53+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/01\/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/01\/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive.png","width":842,"height":98},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"headline,flaw","item":"https:\/\/www.threatshub.org\/blog\/tag\/headlineflaw\/"},{"@type":"ListItem","position":3,"name":"CVE-2024-0204: Fortra GoAnywhere MFT Authentication Bypass Deep-Dive"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/55185","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=55185"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/55185\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/55186"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=55185"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=55185"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=55185"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}