Fortra GoAnywhere MFT Broken Access Control Leading to Denial-of-Service Vulnerability

A broken access control vulnerability has been identified in Fortra's GoAnywhere MFT versions prior to 7.8.1. This vulnerability allows an attacker to create a denial-of-service situation when the application is configured to use GoAnywhere One-Time Password (GOTP) email two-factor authentication (2FA) and the user has not provided an email address. In such cases, the attacker can enter the email address of a known user, potentially disabling that user if they have GOTP configured.

Impact

Exploitation of this vulnerability can lead to a denial-of-service condition, where affected users are disabled and unable to access the application.

Remediation

Users should ensure that all individuals using GOTP email for 2FA have an email address set. For scenarios where the email cannot be pre-set, such as self-registration, it is recommended to switch Admin and Web User Templates to use an alternative 2FA method, like Time-based One-Time Password or RADIUS. Additionally, users can update to GoAnywhere MFT version 7.8.1 or higher.