GoAnywhere MFT, a popular file transfer application, is warning about a zero-day remote code injection exploit. The company said it has temporarily implemented a service outage in response.

I had to create an account on the service to find this security advisory, so I'll just paste the advisory here:

"On Prem Notification/Technical BulletinFeb 1, 2023

A Zero-Day Remote Code Injection exploit was identified in GoAnywhere MFT. The attack vector of this exploit requires access to the administrative console of the application, which in most cases is accessible only from within a private company network, through VPN, or by allow-listed IP addresses (when running in cloud environments, such as Azure or AWS).

If the administrative console is exposed to the public internet, it is highly recommended partnering with our customer support team to put in place appropriate access controls to limit trusted sources.

The Web Client interface, which is normally accessible from the public internet, is not susceptible to this exploit, only the administrative interface.

If your administrative interface had been publicly exposed and/or appropriate access controls cannot be applied to this interface, follow these steps to evaluate and mitigate your exposure:

1. Review all administrator users

Evaluate your admin user accounts for anything suspicious. Key indicators on these accounts include:

Unrecognized usernames

You can view more details by clicking the cog icon next to any User Name listed and selecting the “View” option.

The Created By details show ‘system’

Note: There are some default, or initial admin user accounts that are created automatically - either through initial deployment or the default ‘disabled’ root and administrator accounts. If there are admin accounts created by ‘system’ that aren’t recognized, investigate further.

The timing of the account creation is suspicious

The Created On time and date may not be during a time when you would have been working with the platform.

Admin Audit Log shows a non-existent or disabled super user creating this account

Search the Administration log for activity (Reporting -> Audit Logs -> Administration). Search for anything created by root user.

Click the magnifying glass next to the log of suspicious activity to view more details.

2. Apply mitigation configuration

On the file system where GoAnywhere MFT is installed, edit the file [install_dir]/adminroot/WEB_INF/web.xml
Find and remove (delete or comment out) the following servlet and servlet-mapping configuration in the screenshot below.

Before:

<servlet>

<servlet-name>License Response Servlet</servlet-name>

<servlet-class>com.linoma.ga.ui.admin.servlet.LicenseResponseServlet</servlet-class>

<load-on-startup>0</load-on-startup>

</servlet>

<servlet-mapping>

<servlet-name>Licenses Response Servlet</servlet-name>

<url-pattern>/lic/accept/</url-pattern>

After:

<!--

Add these tags to comment out the following section (as shown) or simply delete this section if you are not familiar with XML comments

<servlet>

<servlet-name>License Response Servlet</servlet-name>

<servlet-class>com.linoma.ga.ui.admin.servlet.LicenseResponseServlet</servlet-class>

<load-on-startup>0</load-on-startup>

</servlet>

<servlet-mapping>

<servlet-name>Licenses Response Servlet</servlet-name>

<url-pattern>/lic/accept/</url-pattern>

</servlet-mapping>

-->

Restart the GoAnywhere MFT application

If GoAnywhere MFT is clustered, this change needs to happen on every instance node in the cluster.

If you have questions, our support team is here to help. Please contact Support via the portal https://my.goanywhere.com/, email goanywhere.support@helpsystems.com, or phone 402-944-4242 for assistance."