CVE-2024-25156: 
GoAnywhere MFT vulnerability analysis and mitigation

A path traversal vulnerability (CVE-2024-25156) was discovered in GoAnywhere MFT versions prior to 7.4.2. The vulnerability allows attackers to circumvent endpoint-specific permission checks in the GoAnywhere Admin and Web Clients. The issue was discovered on December 1, 2023, and was publicly disclosed on March 14, 2024. The vulnerability affects all versions of Fortra GoAnywhere MFT prior to version 7.4.2 (Fortra Advisory).

The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). It has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N, indicating that it can be exploited remotely with low attack complexity and requires no privileges or user interaction (Fortra Advisory).

Using a crafted URL, an unauthorized user may access pages within GoAnywhere, potentially leading to information disclosure. In non-default configurations, it may also allow web user self-registration in some circumstances (Fortra Advisory).

The primary mitigation is to upgrade to GoAnywhere MFT version 7.4.2 or higher. For customers who cannot immediately upgrade, it is recommended to ensure Web User Self-Registration is disabled and there are no self-registration rules configured with 'allow' permissions. Customers with self-registration enabled should review their registration rules and configure them to require admin approval while denying email patterns that don't match organizational requirements (Fortra Advisory).