A zero-day vulnerability affecting Fortra’s GoAnywhere MFT managed file transfer application is being actively exploited in the wild.
Details of the flaw were first published by Mastodon security reporter Brian Krebs. There are no published advisories from Fortra.
This vulnerability is a case of remote code injection that requires access to the application’s management console, and it is imperative that the system is not exposed to the public internet.
According to security researcher Kevin Beaumont, there are over 1,000 on-premises instances publicly accessible over the internet, the majority of which are located in the United States.
“The Fortra advisory cited by Krebs advises GoAnywhere MFT customers to review all administrative users and monitor unrecognized usernames, especially those created by the system.” Rapid7 researcher Caitlin Condon said.
“The logical reasoning is that Fortra may have seen subsequent attacker actions, including the creation of new administrators or other users, in order to take over vulnerable target systems or maintain persistence. It is highly likely that there will be.”
Alternatively, the cybersecurity firm said threat actors could exploit reused, weak, or default credentials to gain administrative access to the console.
Fortra has released a workaround to remove the “License Response Servlet” configuration from the web.xml file, but there is currently no patch available for the zero-day vulnerability.
Vulnerabilities in file transfer solutions have become attractive targets for attackers. Accellion and FileZen flaws are weaponized for data theft and extortion.
