Back to KEVs

CVE-2023-0669

Fortra GoAnywhere MFT License Response Servlet Command Injection

Basic Information

CVE State: PUBLISHED
Reserved Date: February 03, 2023
Published Date: February 06, 2023
Last Updated: February 13, 2025
Vendor: Fortra
Product: Goanywhere MFT
Description: Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. This issue was patched in version 7.1.2.

CVSS Scores

CVSS v3.1

7.2 - HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

SSVC Information

Exploitation: active
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (added 2023-02-10 00:00:00 UTC) Source
Proof of Concept Available: Yes (added 2023-02-26 02:33:54 UTC) Source
Used in Malware: Yes (added 2023-02-10 00:00:00 UTC) Source

References

https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml#zerodayfeb1 https://infosec.exchange/@briankrebs/109795710941843934 https://www.rapid7.com/blog/post/2023/02/03/exploitation-of-goanywhere-mft-zero-day-vulnerability/ https://attackerkb.com/topics/mg883Nbeva/cve-2023-0669/rapid7-analysis https://github.com/rapid7/metasploit-framework/pull/17607 https://duo.com/decipher/fortra-patches-actively-exploited-zero-day-in-goanywhere-mft https://frycos.github.io/vulns4free/2023/02/06/goanywhere-forgotten.html http://packetstormsecurity.com/files/171789/Goanywhere-Encryption-Helper-7.1.1-Remote-Code-Execution.html

Known Exploited Vulnerability Information

Source	Added Date
CISA	2023-02-10 00:00:00 UTC

Scanner Integrations

Scanner	URL	Date Detected
Metasploit	https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/fortra_goanywhere_rce_cve_2023_0669.rb	2025-04-29 11:01:21 UTC
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-0669.yaml	2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

fortra_goanywhere_rce_cve_2023_0669

Type: metasploit • Created: Unknown

Metasploit module for CVE-2023-0669

Avento/CVE-2023-0669

Type: github • Created: 2023-04-06 03:40:03 UTC • Stars: 8

GoAnywhere MFT CVE-2023-0669 LicenseResponseServlet Deserialization Vulnerabilities Python RCE PoC(Proof of Concept)

yosef0x01/CVE-2023-0669-Analysis

Type: github • Created: 2023-02-26 02:33:54 UTC • Stars: 7

CVE analysis for CVE-2023-0669

0xf4n9x/CVE-2023-0669

Type: github • Created: 2023-02-10 13:02:55 UTC • Stars: 101

CVE-2023-0669 GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object.