cbcvebase.
CVE-2023-0669
published 2023-02-06

CVE-2023-0669: Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to…

PriorityP189high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2023-03-03
Exploited in the wild
EPSS
100.00%
100.0th percentile
Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. This issue was patched in version 7.1.2.

Affected

2 ranges
VendorProductVersion rangeFixed in
fortragoanywhere_managed_file_transfer< 7.1.27.1.2
fortragoanywhere_mft<= 7.1.1

Detection & IOCsextracted from sources · hover to see the quote

hashc9b874d54c18e895face055eeb6faa2da7965a336d70303d0bd6047bec27a29d
path[install_dir]/adminroot/WEB-INF/web.xml
  • The vulnerability is a pre-authentication command injection via deserialization in the License Response Servlet; monitor for unexpected deserialization activity targeting that servlet endpoint.
  • Post-exploitation persistence uses Truebot-styled Scheduled Tasks executing payloads via Rundll32; hunt for Rundll32 child processes spawned from scheduled tasks on GoAnywhere MFT hosts.
  • CVE-2023-0669 was exploited as a zero-day since January 18, 2023 and attributed to the Clop ransomware gang; correlate GoAnywhere MFT exploitation indicators with Clop TTPs.
  • The administrative console is the attack surface; check Shodan/internet exposure of GoAnywhere MFT admin interfaces and alert on any external access to the admin console.
  • CVE-2023-0669 is one of three CVEs repeatedly exploited by ransomware actors in Talos IR engagements; prioritize detection rules for this CVE alongside CVE-2020-1472 and CVE-2018-13379.
  • ·The administrative console is typically only accessible from within a private network, VPN, or allow-listed IPs; exploitation requires network-level access to the admin interface, not the public-facing Web Client.
  • ·The vulnerability was patched in GoAnywhere MFT version 7.1.2; unpatched instances below this version remain at risk.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.