A critical security flaw has been discovered in Fortra’s GoAnywhere Managed File Transfer (MFT) software. This flaw, tracked as CVE-2024-0204, allows an unauthorized user to create an admin user via the administration portal. The issue has a CVSS score of 9.8 out of 10. Users who cannot upgrade to the latest version of the software can apply temporary workarounds to mitigate the vulnerability. The flaw was discovered and reported by Mohammed Eldeeb and Islam Elrfai of Spark Engineering Consultants. Cybersecurity firm Horizon3.ai has published a proof-of-concept exploit for the vulnerability, which is the result of a path traversal weakness. While there is no evidence of active exploitation, it is worth noting that the same product was previously abused by the Cl0p ransomware group.