HighCISA KEVExploited in the wildPublic exploit

Pre-authentication RCE in Fortra GoAnywhere MFT License Response Servlet

IdentifiersCVE-2023-0669CWE-502· Deserialization of Untrusted Data

CVE-2023-0669 affects Fortra GoAnywhere MFT. The vulnerability is in the License Response Servlet and related license-processing path, where the application deserializes attacker-controlled data from a license response bundle. Multiple sources in the provided content describe the issue as a pre-authentication command injection / remote code execution flaw caused by deserialization of untrusted data. Successful exploitation allows a remote, unauthenticated attacker to supply a crafted object that is deserialized by the server and results in arbitrary code execution. The issue was exploited as a zero-day beginning in January 2023 and was patched by Fortra in GoAnywhere MFT version 7.1.2.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

The primary impact is unauthenticated remote code execution on the GoAnywhere MFT server. In observed intrusions, attackers created unauthorized accounts, downloaded files, and in some cases deployed additional tooling such as Netcat and a JSP file. Because GoAnywhere MFT commonly handles sensitive transferred data and often has access to integrated external systems, compromise can lead to theft of hosted files, follow-on persistence, use of the server as a pivot point for internal reconnaissance or lateral movement, and ransomware/extortion activity. The content specifically links exploitation to Cl0p and other ransomware activity affecting numerous organizations.

Mitigation

If you can’t patch tonight, do this now.

Do not expose the GoAnywhere admin portal to the public internet; the content notes on-premises customers with an internet-exposed admin portal were at increased risk. If immediate patching is not possible, reduce external exposure of the application and restrict access to administrative interfaces. Conduct compromise assessment and post-exploitation cleanup, including log review, account review, credential rotation, and checking for dropped tools such as Netcat or suspicious JSP files. General hardening measures in the provided material include MFA, segmentation, SIEM/EDR monitoring, and minimizing internet exposure of public-facing services.

Remediation

Patch, then assume compromise.

Upgrade GoAnywhere MFT to version 7.1.2 or later, as the vulnerability was patched in 7.1.2. Fortra also advised affected customers to rotate the GoAnywhere Master Encryption Key after mitigation/remediation, reset all credentials and keys including those used with external trading partners and integrated systems, review audit logs, remove suspicious admin and web-user accounts, and revoke or rotate any credentials stored by GoAnywhere for external systems. For hosted environments, Fortra reprovisioned clean instances as part of remediation.

PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (2 hidden).

VALID 1 / 3 TOTALView more in app

CVE-2023-0669MaturityPoCVerified exploit

This repository is a Java-based exploit for CVE-2023-0669, a pre-authentication command injection vulnerability in Fortra GoAnywhere MFT. The exploit targets the License Response Servlet (typically at /goanywhere/lic/accept), which is vulnerable due to unsafe deserialization of attacker-controlled objects. The main entry point is 'src/main/java/org/gaw/Exploit.java', which provides a command-line interface to generate a malicious serialized payload (using ysoserial gadget chains, e.g., CommonsBeanutils1), encrypt it with the appropriate AES key (matching the GoAnywhere MFT implementation), and send it to the target endpoint. The exploit supports specifying a proxy, custom endpoint path, and arbitrary commands for execution. The repository includes supporting code for payload generation, encryption, HTTP communication, and utility functions. The exploit is operational and can be used to achieve remote code execution on vulnerable GoAnywhere MFT servers. No hardcoded IPs or domains are present, but the default and expected endpoint is '/goanywhere/lic/accept'.

0xf4n9xDisclosed Feb 10, 2023javaxmlnetwork

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

FortraGoanywhere Managed File Transferapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

35 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

35 SOURCESView more in app

securityaffairsNews

Dec 29, 2025

Korean Air discloses data breach after the hack of its catering and duty-free supplier

A vulnerability in GoAnywhere MFT exploited by the Clop ransomware group in 2023 to compromise over 130 organizations.

securityaffairsNews

Nov 6, 2025

Clop Ransomware group claims the breach of The Washington Post

A vulnerability in GoAnywhere MFT that was exploited by Clop ransomware in 2023 to compromise over 130 organizations.

theravenfile blogNews

Nov 4, 2025

CLOP RANSOMWARE: DISSECTING NETWORK - THE RAVEN FILE

A Fortra GoAnywhere vulnerability (described as command injection) used in 2023 exploitation activity attributed to Clop, with overlapping infrastructure compared to MOVEit exploitation.

dark readingNews

Oct 7, 2025

Medusa Ransomware Actors Exploit Critical Fortra GoAnywhere Flaw

A GoAnywhere MFT zero-day vulnerability exploited by the Clop ransomware group in 2023 to compromise Fortra customers and access sensitive data.

+18 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence9

Every observed campaign linking this CVE to a named adversary.

Associated malware11

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity7

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2023-0669

NVD

nvd.nist.gov/vuln/detail/CVE-2023-0669

MITRE CWE · CWE-502

Deserialization of Untrusted Data

Patch

github.com/rapid7/metasploit-framework/pull/17607

Mitigation

infosec.exchange/@briankrebs/109795710941843934

Mitigation

rapid7.com/blog/post/2023/02/03/exploitation-of-goanywhere-mft-zero-day-vulnerability

Third Party Advisory

packetstormsecurity.com/files/171789/Goanywhere-Encryption-Helper-7.1.1-Remote-Code-Execution.html

Third Party Advisory

attackerkb.com/topics/mg883Nbeva/cve-2023-0669/rapid7-analysis

Third Party Advisory

frycos.github.io/vulns4free/2023/02/06/goanywhere-forgotten.html

Product

my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-0669