"Patch Released for Actively Exploited GoAnywhere MFT Zero-Day"

Fortra, known until recently as HelpSystems, alerted GoAnywhere MFT users on February 1 about a "zero-day remote code injection exploit." The company has since released two other security notifications, each of them providing mitigations and indicators of compromise (IoCs).  GoAnywhere users are now being informed that a patch has been made available. The company is advising users to install GoAnywhere MFT 7.1.2.  Customers running an admin portal exposed to the Internet should install the new version ASAP.  Presently there does not appear to be any information about attacks exploiting the vulnerability. It's unclear if state-sponsored threat actors or profit-driven cybercriminals have leveraged it.  A CVE identifier has yet to be assigned to the flaw.  The company has told users to check log files for a particular line that indicates a system has been targeted in an attack exploiting the zero-day vulnerability. If the log files show signs of compromise, users should check their installation for suspicious administrator users.  A researcher has published technical details on the flaw, and a proof-of-concept (PoC) exploit.  A Shodan search shows nearly 1,000 internet-exposed instances of GoAnywhere.  The company stated that exploitation requires access to the application's admin console, and at least some of the exposed instances appear to be associated with the product's web client interface, which is not affected. 

SecurityWeek reports: "Patch Released for Actively Exploited GoAnywhere MFT Zero-Day"