CVE-2024-9945 in GoAnywhere MFT
Summary
by MITRE • 12/13/2024
An information-disclosure vulnerability exists in Fortra's GoAnywhere MFT application prior to version 7.7.0 that allows external access to the resources in certain admin root folders.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 08/30/2025
The vulnerability identified as CVE-2024-9945 represents a critical information disclosure flaw within Fortra's GoAnywhere MFT application affecting versions prior to 7.7.0. This vulnerability stems from inadequate access controls and improper authorization mechanisms within the application's administrative interface, specifically within the admin root folders. The flaw enables unauthenticated or improperly authenticated external actors to gain unauthorized access to sensitive administrative resources that should typically be restricted to authorized personnel only.
The technical implementation of this vulnerability manifests through insufficient input validation and access control checks within the application's resource management subsystem. When users attempt to access certain administrative directories, the application fails to properly verify the requesting entity's authorization level, allowing external parties to traverse the administrative file structure and potentially access confidential data, configuration files, or administrative tools. This weakness directly aligns with CWE-284 which addresses improper access control vulnerabilities, and represents a significant deviation from the principle of least privilege that should govern all administrative interfaces.
The operational impact of this vulnerability extends beyond simple data exposure, as it provides potential attackers with access to critical administrative resources that could facilitate further exploitation. An attacker who successfully exploits this vulnerability could potentially access system configuration files, user credentials, audit logs, or other sensitive administrative data that could be leveraged for privilege escalation, lateral movement, or complete system compromise. The vulnerability creates an attack surface that allows for reconnaissance activities without requiring authentication, making it particularly dangerous in environments where administrative access is typically restricted to authorized personnel only.
Organizations utilizing Fortra GoAnywhere MFT prior to version 7.7.0 face significant security risks from this information disclosure vulnerability. The exposure of administrative resources could lead to data breaches, regulatory compliance violations, and potential system compromise. Security teams should immediately assess their current implementation and implement mitigation strategies including upgrading to version 7.7.0 or later, which includes proper access control enhancements. Additional mitigations may include network segmentation, implementing stronger authentication mechanisms, and monitoring for unauthorized access attempts to administrative directories. The vulnerability also highlights the importance of proper application security testing and the need for regular security updates to address known weaknesses in enterprise file transfer systems. Organizations should also consider implementing network-based security controls such as firewalls and intrusion detection systems to monitor and restrict access to administrative interfaces. This vulnerability demonstrates the critical importance of maintaining up-to-date security patches and the potential consequences of delayed vulnerability remediation in enterprise security infrastructure.