A new Zero Day Vulnerability has been found in GoAnywhere MFT. GoAnywhere is a popular file transfer application.
The Vulnerability first came to light when infosec.exchange user @firstname.lastname@example.org, tooted on the InfoSec instance of the popular social media platform and twitter competitor, Mastodon. In his toot, he shared the advisory from the vendor Fortra, previously known as HelpSystems, on the GoAnywhere support portal.
The toot from @email@example.com is as follows,
The National Vulnerability Database has also referenced the user frycos’ github page where he has mentioned that the vulnerability first came across in 2021 when he first reviewed GoAnywhere MFT. He had also mentioned the same in a relevant blog post.
The vulnerability has a Common Weakness Enumenration of CWE-502, Deserialization of Untrusted Data.
The CVSS 3.1 string for this vulnerability is as follows
This indicates a CVSS 3.1 base score of 10.0 and temporal score of 9.5 on account of Remediation Level of an Official Fix and the Report Confidence of Confirmed.