Vulnerability detail
Enriched intelligence for a single CVE
High
CVE-2023-0669
PUBLISHEDFortra GoAnywhere MFT License Response Servlet Command Injection
- Vendor
- Fortra
- Product
- Goanywhere MFT
- Published
- Feb 06, 2023
- EPSS
- —
Description
Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. This issue was patched in version 7.1.2.
CVSS scores
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
SSVC decision points
- Exploitation
- active
- Automatable
- No
- Technical impact
- total
References
- https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml#zerodayfeb1
- https://infosec.exchange/@briankrebs/109795710941843934
- https://www.rapid7.com/blog/post/2023/02/03/exploitation-of-goanywhere-mft-zero-day-vulnerability/
- https://attackerkb.com/topics/mg883Nbeva/cve-2023-0669/rapid7-analysis
- https://github.com/rapid7/metasploit-framework/pull/17607
- https://duo.com/decipher/fortra-patches-actively-exploited-zero-day-in-goanywhere-mft
- https://frycos.github.io/vulns4free/2023/02/06/goanywhere-forgotten.html
- http://packetstormsecurity.com/files/171789/Goanywhere-Encryption-Helper-7.1.1-Remote-Code-Execution.html
Known exploited vulnerability sources
Catalogues that list this CVE as a known exploited vulnerability.
| Source | Added |
|---|---|
| CISA | Feb 10, 2023 |
Scanner integrations
| Scanner | Reference | Detected |
|---|---|---|
| Metasploit | https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/fortra_goanywhere_rce_cve_2023_0669.rb | Apr 28, 2025 |
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-0669.yaml | Apr 25, 2025 |
Potential proof of concepts
These PoCs are unverified and could contain malware. Use at your own risk.
metasploit · Created Unknown
Metasploit module for CVE-2023-0669
github · Created 2023-04-06 03:40:03 UTC · 8 stars
GoAnywhere MFT CVE-2023-0669 LicenseResponseServlet Deserialization Vulnerabilities Python RCE PoC(Proof of Concept)
github · Created 2023-02-26 02:33:54 UTC · 7 stars
CVE analysis for CVE-2023-0669
github · Created 2023-02-10 13:02:55 UTC · 101 stars
CVE-2023-0669 GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object.
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Exploit Used in Malware
-
Added to KEVIntel
-
Detected by Nuclei
-
Detected by Metasploit