Login Sign Up

CVE-2023-0669

7.2 HIGH
Remote Code Execution Deserialization

📋 TL;DR

CVE-2023-0669 is a pre-authentication remote code execution vulnerability in Fortra GoAnywhere MFT that allows unauthenticated attackers to execute arbitrary commands on affected systems by exploiting insecure deserialization in the License Response Servlet. This affects organizations using GoAnywhere MFT versions before 7.1.2 for secure file transfers. Attackers can gain complete control of vulnerable systems without requiring valid credentials.

💻 Affected Systems

Products:
  • Fortra GoAnywhere MFT
Versions: All versions before 7.1.2
Operating Systems: All supported platforms (Windows, Linux, etc.)
Default Config Vulnerable: ⚠️ Yes
Notes: All deployments with the vulnerable component enabled are affected regardless of configuration.

📦 What is this software?

Goanywhere Managed File Transfer by Fortra

View all CVEs affecting Goanywhere Managed File Transfer →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise leading to data exfiltration, ransomware deployment, lateral movement within the network, and persistent backdoor installation.

🟠

Likely Case

Unauthenticated remote code execution allowing attackers to deploy malware, steal sensitive data, and use the system as a foothold for further attacks.

🟢

If Mitigated

Limited impact if network segmentation, strict firewall rules, and intrusion detection systems prevent exploitation attempts.

🌐 Internet-Facing: HIGH - This vulnerability is pre-authentication and actively exploited, making internet-facing instances immediate targets.
🏢 Internal Only: MEDIUM - While less exposed, internal instances remain vulnerable to insider threats or attackers who breach perimeter defenses.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Metasploit module available, actively exploited in the wild, and exploitation requires minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.1.2

Vendor Advisory: https://www.fortra.com/security/advisory/fi-2023-005

Restart Required: Yes

Instructions:

1. Backup current configuration and data. 2. Download GoAnywhere MFT 7.1.2 from Fortra support portal. 3. Stop GoAnywhere services. 4. Install the update following vendor documentation. 5. Restart services and verify functionality.

🔧 Temporary Workarounds

Network Isolation

all

Block external access to GoAnywhere MFT web interface (default port 8000/8001) at network perimeter.

Disable License Response Servlet

all

Remove or disable the vulnerable servlet if not required for functionality.

# Remove LicenseResponseServlet from web.xml configuration

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate GoAnywhere MFT from internet and critical internal networks
  • Deploy web application firewall (WAF) with rules to detect and block exploitation attempts targeting deserialization

🔍 How to Verify

Check if Vulnerable:

Check GoAnywhere MFT version via admin interface or by examining installation directory for version files.

Check Version:

# On Linux: cat /usr/local/goanywhere/version.txt or check web interface at https://<host>:8000/admin

Verify Fix Applied:

Verify version shows 7.1.2 or later in admin interface and test that License Response Servlet no longer accepts malicious payloads.

📡 Detection & Monitoring

Log Indicators:

  • Unusual requests to /goanywhere/images/..;/license response endpoint
  • Java deserialization errors in application logs
  • Unexpected process execution from GoAnywhere service account

Network Indicators:

  • HTTP POST requests to /goanywhere/images/..;/license with serialized Java objects
  • Outbound connections from GoAnywhere server to suspicious external IPs

SIEM Query:

source="goanywhere.logs" AND (uri="/goanywhere/images/..;/license" OR message="*deserialization*" OR message="*LicenseResponseServlet*")

📊 Metadata

CVE ID: CVE-2023-0669
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-502
Published: February 6, 2023
Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-0669, you might also want to check these:

CVE-2023-46604 10.0

CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ's Java OpenWire ...

Same vulnerability type (CWE-502)
CVE-2023-49772 10.0

This vulnerability allows unauthenticated attackers to execute arbitrary PHP code through deserializ...

Same vulnerability type (CWE-502)
CVE-2024-25100 10.0

This vulnerability allows unauthenticated attackers to inject malicious PHP objects via deserializat...

Same vulnerability type (CWE-502)