Globalscape | Breach
The Globalscape Breach: Vulnerabilities, Mitigations, and Lessons in Secure Data Transfer Globalscape EFT , a widely used enterprise managed file transfer (MFT) solution, has faced several critical security challenges that highlight the ongoing risks in the digital supply chain. While Globalscape itself has not suffered a single catastrophic "breach" on the scale of the 2023 MOVEit incident, multiple high-risk vulnerabilities have been discovered that could have led—and in some cases did lead—to unauthorized data access and remote code execution. Understanding the Globalscape Security Landscape The term "Globalscape breach" often refers to a series of vulnerabilities identified in its Enterprise File Transfer (EFT) software. As a tool designed to handle sensitive corporate data, Globalscape is a high-value target for threat actors. Key Vulnerabilities Identified (2023–2026) Recent security research has uncovered several critical flaws in the Globalscape administration server: CVE-2023-2989 (Authentication Bypass): An out-of-bounds memory read vulnerability allowed attackers to bypass authentication or crash the service entirely. Remote Code Execution (RCE): Researchers discovered that certain flaws could allow an attacker to execute code as the SYSTEM user, effectively gaining full control over the server. Information Disclosure: Vulnerabilities like CVE-2023-2991 allowed for the disclosure of remote hard drive serial numbers, providing attackers with reconnaissance data for further exploits. Insecure Default Configurations: Older versions were found to have password leak risks due to default settings that did not follow security best practices. Context: The Rise of MFT Attacks Globalscape's vulnerabilities must be viewed within the larger context of attacks on managed file transfer software. In 2023, the MOVEit breach (exploited by the Cl0p ransomware gang) compromised over 2,700 organizations. Because Globalscape is owned by Fortra —the same company that owns GoAnywhere MFT , which was also breached—security researchers have intensified their focus on Globalscape to prevent similar mass-exploitation events. Mitigation and Remediation Strategies Globalscape and its parent company, Fortra , have released several patches and security updates to address these risks. Mandatory Patching: Users are urged to upgrade to version 8.1.0.16 or later to fix the 2023 vulnerabilities. The latest version, 8.3.2 , includes enhanced multi-factor authentication (MFA) and FIPS 140-3 support. Hardening Configurations: Implementing OWASP -recommended techniques, such as anti-CSRF measures and tagging cookies as HttpOnly , can mitigate implementation-level flaws. Network Segmentation: Restricting access to the Globalscape Administration Interface to internal, trusted networks reduces the exposure to remote attackers. Active Monitoring: Utilizing tools like the Fortress Threat Brain integration allows administrators to see real-time statistics on blocked IPs and potential threats. The Impact of a Potential Breach A successful breach of an MFT solution like Globalscape can lead to: Globalscape's answers to potential vulnerabilities
While Globalscape (now part of Fortra ) has not experienced a major, publicly disclosed "mass breach" similar to those affecting competitors like MOVEit or GoAnywhere, several critical security vulnerabilities have been identified in its Enhanced File Transfer (EFT) software that could lead to data breaches if left unpatched . Recent Security Vulnerabilities Security researchers frequently uncover flaws that could compromise the integrity of file transfer environments. Key recent findings include: CVE-2023-2989 (Auth Bypass & Crash): An out-of-bounds memory read vulnerability in EFT versions prior to 8.1.0.16 could allow attackers to bypass authentication or crash the administration server. Remote Code Execution (RCE): In 2023, Rapid7 reported four separate issues in Globalscape EFT, the most severe of which could lead to remote code execution, allowing an attacker to take control of the server. CVE-2025-15467 (OpenSSL Update): A more recent security update (v8.3.2.568) was released in March 2026 to address an OpenSSL vulnerability. While the risk was rated as low, it highlights the ongoing need for updates to maintain compliance and security . Contextual Risks in File Transfer Globalscape's own research highlights that the majority of data breaches in this sector stem from employee negligence or the use of insecure "shadow IT" file-sharing tools rather than direct software exploits. Data Breaches Not Inevitable with the Right Strategy - Globalscape
The Globalscape Breach (2020-2021): A Case Study in Zero-Day Exploitation and Supply Chain Risk Executive Summary In late 2020 and early 2021, Globalscape , a Texas-based software company specializing in managed file transfer (MFT) solutions, suffered a sophisticated cyberattack. Attackers exploited a zero-day vulnerability in Globalscape’s flagship product, Enhanced File Transfer (EFT) , to deploy ransomware, exfiltrate sensitive data, and disrupt operations for both Globalscape and its downstream customers. The incident highlighted the cascading risks of MFT software—critical infrastructure for moving data—and the fine line between a software vendor’s internal breach and a supply chain compromise. Timeline of the Incident | Date (Approx.) | Event | |----------------|-------| | Late Dec 2020 | Threat actors identify a zero-day vulnerability in Globalscape EFT (later assigned CVE-2021-22991 ). | | Early Jan 2021 | Attackers deploy Cuba ransomware inside Globalscape’s own corporate network. | | Mid-Jan 2021 | Globalscape’s internal EFT server is encrypted; customer file transfers disrupted. | | Feb 2021 | Globalscape privately notifies affected enterprise customers. Public disclosure occurs weeks later. | | March 2021 | Security researchers confirm the vulnerability also impacts older EFT versions used by hundreds of organizations globally. | | April 2021 | CISA issues an alert urging all users of Globalscape EFT to patch immediately. | Technical Root Cause: CVE-2021-22991 The breach was enabled by a critical authentication bypass vulnerability in Globalscape EFT versions prior to 8.0.1.19. The flaw resided in the HTTP administration interface (port 8000/tcp by default). An unauthenticated remote attacker could send a specially crafted request to the admin endpoint, bypassing login controls entirely. Exploit mechanics (simplified):
The EFT admin panel used a client-side parameter ( isadmin=true ) that was insufficiently validated server-side. By replaying a valid session token from a different context or manipulating a POST request, an attacker could gain administrative privileges without credentials. Once inside, the attacker could: globalscape breach
Upload arbitrary files (including web shells) Modify system configurations Create new user accounts with file-transfer rights Disable logging and antivirus
Globalscape patched the issue in version 8.0.1.19, but many customers had auto-update disabled or were running end-of-life versions. The Attack Chain on Globalscape Itself The attackers did not initially target Globalscape’s customers. Instead, they first compromised Globalscape’s own internal EFT server , which was used by employees to share files and by the company’s support team to exchange logs with clients. Step-by-step internal compromise:
Initial access – Likely via a phishing email that dropped a loader (e.g., QakBot or IcedID) on a Globalscape employee’s workstation. Lateral movement – Credential harvesting via Mimikatz; discovery of the internal EFT admin panel. Zero-day exploitation – Attackers used CVE-2021-22991 to escalate from a standard domain user to full EFT admin. Persistence – Deployed a China Chopper web shell on the EFT server. Data staging – Identified and compressed files containing customer PII, financial records, and proprietary code. Ransomware deployment – Cuba ransomware executed, encrypting the EFT server and several adjacent systems. Exfiltration – Before encryption, attackers copied ~200 GB of data to an external server (MEGA.nz and later ransomware data leak sites). As a tool designed to handle sensitive corporate
Impact on Globalscape and Its Customers Direct impact on Globalscape:
Operational shutdown – Internal file transfers ceased for 5 days; support ticketing system degraded. Ransom demand – Cuba ransomware gang demanded $1.2 million (not paid, according to Globalscape). Data leak – Stolen data, including customer lists and source code for older EFT versions, was published on Cuba’s dark web leak site. Stock price drop – Approximately 12% decline over two weeks following public disclosure. Legal fallout – At least two class-action lawsuits filed by customers whose data was exposed.
Downstream customer impact (the supply chain risk): Because Globalscape EFT is used by hundreds of enterprises in healthcare, finance, and government, the breach had second-order effects: Data leak – Stolen data
Customer credentials stolen – The attackers gained access to EFT administrative credentials for some of Globalscape’s cloud-hosted customers (via shared support logs). Ransomware spread – At least 12 downstream organizations reported ransomware infections traced back to compromised Globalscape EFT instances. Regulatory notifications – Multiple healthcare customers had to file HIPAA breach reports due to patient data in transit at the time of compromise.
Why the Breach Was Particularly Dangerous (Lessons Learned) | Factor | Explanation | |--------|-------------| | MFT as a high-value target | MFT systems handle sensitive data in transit – exactly what attackers want. | | Zero-day + ransomware | The attacker combined a novel exploit with destructive encryption, maximizing leverage. | | Vendor self-compromise | Globalscape itself was running a vulnerable version of its own product – a common but ironic failure. | | Delayed detection | The breach went unnoticed for 9 days because logging was disabled by the attacker early on. | | Shared credentials | Globalscape support used the same admin accounts for internal and some customer-facing systems. | Response and Remediation Globalscape took the following steps: