CVE-2024-9945 Overview
An information-disclosure vulnerability exists in Fortra's GoAnywhere MFT application prior to version 7.7.0 that allows external access to the resources in certain admin root folders. This vulnerability enables unauthenticated attackers to potentially access sensitive configuration files and administrative resources through the network without requiring user interaction or special privileges.
Critical Impact
Unauthenticated remote attackers can access sensitive resources in admin root folders of GoAnywhere MFT installations, potentially exposing configuration data and administrative information to unauthorized parties.
Affected Products
- Fortra GoAnywhere MFT versions prior to 7.7.0
Discovery Timeline
- 2024-12-13 - CVE-2024-9945 published to NVD
- 2025-08-29 - Last updated in NVD database
Technical Details for CVE-2024-9945
Vulnerability Analysis
This vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), indicating that the GoAnywhere MFT application fails to properly restrict access to certain administrative resources. The flaw allows network-based attackers to bypass intended access controls and retrieve information from admin root folders without authentication.
The vulnerability requires no privileges, no user interaction, and has low attack complexity, making it relatively straightforward for attackers to exploit. While the confidentiality impact is limited, the accessibility of the vulnerability from the network creates a significant exposure risk for organizations using unpatched versions of GoAnywhere MFT.
Root Cause
The root cause stems from improper access control mechanisms in Fortra GoAnywhere MFT that fail to adequately protect resources within certain admin root folders. The application does not properly validate or restrict external requests attempting to access these administrative directories, allowing unauthorized users to retrieve potentially sensitive information.
Attack Vector
The attack vector is network-based, requiring no authentication or user interaction. An attacker can remotely target GoAnywhere MFT installations by sending crafted requests to access resources in admin root folders. The vulnerability allows read-only access to sensitive information but does not permit modification of data or system disruption.
The attack flow involves identifying exposed GoAnywhere MFT instances and crafting requests to access administrative resources that should be restricted. Due to the improper access controls, these requests succeed, potentially revealing configuration details, system information, or other sensitive data stored in the admin folders.
Detection Methods for CVE-2024-9945
Indicators of Compromise
- Unusual access patterns to GoAnywhere MFT admin directories from external IP addresses
- Web server logs showing requests targeting administrative root folder paths from unauthenticated sources
- Unexpected access to configuration files or administrative resources without corresponding login events
Detection Strategies
- Monitor web application firewall (WAF) logs for suspicious requests targeting GoAnywhere MFT admin endpoints
- Implement network-based detection rules to identify unauthorized access attempts to administrative paths
- Review access logs for requests to admin root folder resources originating from external networks
- Deploy intrusion detection signatures to alert on exploitation attempts against GoAnywhere MFT
Monitoring Recommendations
- Enable verbose logging on GoAnywhere MFT installations to capture all access attempts to administrative resources
- Configure alerts for access attempts to admin folders from non-whitelisted IP addresses
- Regularly audit access logs for anomalous patterns indicating potential information disclosure attempts
- Implement real-time monitoring of GoAnywhere MFT web traffic for reconnaissance and exploitation activity
How to Mitigate CVE-2024-9945
Immediate Actions Required
- Upgrade Fortra GoAnywhere MFT to version 7.7.0 or later immediately
- Restrict network access to GoAnywhere MFT administrative interfaces using firewall rules
- Implement network segmentation to limit exposure of MFT services to trusted networks only
- Review access logs for evidence of prior exploitation attempts
Patch Information
Fortra has addressed this vulnerability in GoAnywhere MFT version 7.7.0. Organizations should upgrade to this version or later to remediate the information disclosure risk. Detailed patch information is available in the Fortra Security Advisory FI-2024-014.
Workarounds
- Implement strict firewall rules to restrict access to GoAnywhere MFT admin interfaces to authorized IP addresses only
- Deploy a web application firewall (WAF) with rules to block unauthorized access attempts to admin directories
- Place GoAnywhere MFT behind a reverse proxy with authentication requirements for administrative paths
- Consider temporarily disabling external access to the application until patching can be completed
# Example firewall rule to restrict admin access (iptables)
# Allow admin access only from trusted management network
iptables -A INPUT -p tcp --dport 8000 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8000 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
