Fortra Waited Six Weeks To Issue Advisory On Critical GoAnywhere Vulnerability

As of this writing, it’s unclear why the security vendor fixed a major flaw in the file transfer platform in early December but did not issue an advisory for more than a month.

GoAnywhere maker Fortra fixed a critical vulnerability in the widely used file transfer platform in early December but appears to have postponed public disclosure of the issue for more than six weeks, only releasing an advisory about the flaw Monday.

The move has raised questions about the reasoning for the delay in public disclosure, particularly given the fact that a prior vulnerability in the GoAnywhere managed file transfer (MFT) tool was exploited by threat actors in a high-profile series of data extortion attacks a year ago.

[Related: 10 Major Cyberattacks And Data Breaches In 2023]

“Fortra evidently addressed this vulnerability in a December 7, 2023 release of GoAnywhere MFT, but it would appear they did not issue an advisory until now,” Caitlin Condon, director of vulnerability research and intelligence at Rapid7, said in a blog post Tuesday.

As of this writing, it was unclear why the public advisory was postponed. CRN has reached out to Fortra to ask for the reasoning behind the delay in releasing the advisory publicly.

Organizations rely on security advisories to help prioritize their patching efforts, given the massive number of software vulnerabilities that are continuously in need of fixing.

The way in which vendors address and communicated about vulnerabilities is “always important,” Condon said in an email to CRN Tuesday.

“We would hope that patch uptake began in December and will accelerate now that an advisory is broadly available,” Condon wrote.

A Fortra representative told CRN that the company sent an email to customers on Dec. 4, 2023, alerting them to the existence of the vulnerability. “A critical vulnerability that requires action to remediate has been found in Fortra’s GoAnywhere MFT software,” Fortra said in the email to customers, according to text of the message provided to CRN. The email to customers does not appear to provide further details on the vulnerability.

The GoAnywhere vulnerability (tracked at CVE-2024-0204) can enable an attacker to bypass authentication and has been awarded a severity score of 9.8 out of 10.0. The vulnerability is “remotely exploitable and allows an unauthorized user to create an admin user via the administration portal,” Condon said in the blog post.

In addition to the delay in releasing the advisory, Fortra also did not make clear in the disclosure Monday whether the vulnerability has seen active exploitation by attackers — another key piece of information that organizations look for while determining whether to prioritize a patch. In an email statement to CRN, Fortra said it has “no reports of active exploitation in the wild regarding this CVE.”

In any case, “we would expect the vulnerability to be targeted quickly if it has not come under attack already, particularly since the fix has been available to reverse engineer for more than a month,” Condon wrote in the Rapid7 blog post Tuesday. “Rapid7 strongly advises GoAnywhere MFT customers to take emergency action.”

Previous Attacks

In February 2023, Fortra informed customers that it had identified an actively exploited zero-day vulnerability in GoAnywhere that could be used to remotely execute code on vulnerable systems.

The largest incident from the GoAnywhere campaign — the hack of healthcare benefits and technology firm NationsBenefits — impacted 3 million members, according to the Identity Theft Resource Center.

The GoAnywhere platform was also exploited by hackers to steal data from numerous other large organizations including Procter & Gamble, the City of Toronto, Crown Resorts and data security firm Rubrik.

Months later in 2023, the Russian-speaking group behind the GoAnywhere attacks, Clop, went on to launch a massive attack campaign exploiting another file transfer tool, MOVEit. The number of impacted organizations from the MOVEit campaign has surpassed 2,700, with more than 94 million individuals impacted, according to a tally by cybersecurity firm Emsisoft.