Tuesday, May 13, 2025
HomeCyber Security NewsExploit Released for GoAnywhere File Transfer Zero-Day Flaw

Exploit Released for GoAnywhere File Transfer Zero-Day Flaw

Published on

SIEM as a Service

Follow Us on Google News

A zero-day vulnerability affecting on-premise instances of Fortra’s GoAnywhere MFT-managed file transfer solution was actively exploited, according to a warning posted on Mastodon by security researcher Brian Krebs.

GoAnywhere is a safe web file transfer application that allows businesses to securely share encrypted data with partners while maintaining thorough audit logs of file access.

The issue is a remote code injection flaw that needs administrator console access to be exploited effectively.

- Advertisement - Google News

“A Zero-Day Remote Code Injection exploit was identified in GoAnywhere MFT,” according to the GoAnywhere security advisory.

“The attack vector of this exploit requires access to the administrative console of the application, which in most cases is accessible only from within a private company network, through VPN, or by allow-listed IP addresses (when running in cloud environments, such as Azure or AWS).”

To find out how many GoAnywhere instances are publicly accessible internet, security expert Kevin Beaumont used Shodan and discovered 1,008 servers, mostly in the US.

Shodan scan results for exposed GoAnywhere MFT
Shodan scan results for exposed GoAnywhere MFT

According to the Rapid7, GoAnywhere MFT customers should verify all administrative accounts and keep an eye out for usernames that aren’t familiar, particularly those that were created by the system. 

“The Fortra advisory Krebs quoted advises GoAnywhere MFT customers to review all administrative users and monitor for unrecognized usernames, especially those created by the system,” Rapid7 said.

“The logical deduction is that Fortra is likely seeing follow-on attacker behavior that includes the creation of new administrative or other users to take over or maintain persistence on vulnerable target systems.”

Security researcher Florian Hauser of IT security consultancy company Code White disclosed technical information and proof-of-concept exploit code on Monday that allows vulnerable GoAnywhere MFT servers to execute unauthenticated remote code.

“I could provide a working PoC (compare hash and time of my tweet) to my teammates within hours on the same day to protect our clients first,” according to Hauser.

“The attack vector of this exploit requires access to the administrative console of the application, which in most cases is accessible only from within a private company network, through VPN, or by allow-listed IP addresses (when running in cloud environments, such as Azure or AWS”, explain Fortra.

A Shodan scan, however, reveals that nearly 1,000 GoAnywhere instances are open on the Internet, with about over 140 on ports 8000 and 8001 (the ones used by the vulnerable admin console).

Map of vulnerable GoAnywhere MFT servers
Map of GoAnywhere MFT servers that are vulnerable

The firm has not yet made this remote pre-authentication RCE security weakness publicly acknowledged. Hence, you must first sign up for a free account to read the alert, and by not releasing security upgrades to fix the vulnerability, all exposed installations remain subject to assaults.

“If this stacktrace is in the logs, it is very likely this system has been the target of attack,” Fortra says.

Although, a specific stacktrace that appears in the logs of compromised systems is one of the compromise indications listed in the private advisory.

Mitigation

The company offers mitigation guidance, such as putting in place access controls to restrict access to the GoAnywhere MFT administrator interface to authorized users or turning off the licensing service.

Administrators must remove or comment out the License Response Servlet’s servlet-mapping setting from the web.xml file in order to stop the licensing server. 

The updated configuration can only be used after a restart.

https://www.bleepstatic.com/images/news/u/1109292/2023/GoAnywhere%20MFT%20License%20REspons%20Servlet.png
Code to remove/comment out to disable GoAnywhere MFT’s licensing service

“Due to the fact that data in your environment could have been accessed or exported, you should determine whether you have stored credentials for other systems in the environment and make sure those credentials have been revoked,” Fortra made this update in a Saturday update.

“This includes passwords and keys used to access any external systems with which GoAnywhere is integrated.

“Ensure that all credentials have been revoked from those external systems and review relevant access logs related to those systems. This also includes passwords and keys used to encrypt files within the system.”

Network Security Checklist – Download Free E-Book

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware...

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as...

Kimsuky Hacker Group Deploys New Phishing Techniques and Malware Campaigns

The North Korean state-sponsored Advanced Persistent Threat (APT) group Kimsuky, also known as “Black...

APT37 Hackers Use Weaponized LNK Files and Dropbox for Command-and-Control Operations

The North Korean state-sponsored hacking group APT37, also known as ScarCruft, launched a spear...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware...

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as...

Kimsuky Hacker Group Deploys New Phishing Techniques and Malware Campaigns

The North Korean state-sponsored Advanced Persistent Threat (APT) group Kimsuky, also known as “Black...