CVE-2023-25915 – CVE-2023-25915 is a critical remote code execut... (How to Fix)

Q: What is the severity of CVE-2023-25915?

CVE-2023-25915 has a CVSS score of 9.9 (CRITICAL). CVE-2023-25915 is a critical remote code execution vulnerability affecting Fortra's GoAnywhere MFT software. Authenticated attackers can exploit improper input validation to execute arbitrary commands on vulnerable systems. Organizations using affected versions of GoAnywhere MFT are at risk.

📋 TL;DR

CVE-2023-25915 is a critical remote code execution vulnerability affecting Fortra's GoAnywhere MFT software. Authenticated attackers can exploit improper input validation to execute arbitrary commands on vulnerable systems. Organizations using affected versions of GoAnywhere MFT are at risk.

💻 Affected Systems

Products:

Fortra GoAnywhere MFT

Versions: Versions prior to 7.4.1

Operating Systems: Linux, Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access, but default installations with admin credentials are vulnerable.

📦 What is this software?

Ak Sm 800a Firmware by Danfoss

View all CVEs affecting Ak Sm 800a Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attacker to install malware, exfiltrate sensitive data, pivot to other systems, and maintain persistent access.

🟠

Likely Case

Data theft, ransomware deployment, or credential harvesting from the compromised MFT system.

🟢

If Mitigated

Limited impact due to network segmentation, strong authentication controls, and minimal privileges on the affected system.

🌐 Internet-Facing: HIGH - GoAnywhere MFT is often deployed as an internet-facing file transfer solution, making it directly accessible to attackers.

🏢 Internal Only: MEDIUM - Internal attackers or compromised accounts could still exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Multiple exploit scripts are publicly available. Attackers have been actively exploiting this vulnerability in the wild.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.4.1

Vendor Advisory: https://www.fortra.com/security/advisory/2023-02-13-goanywhere-mft-vulnerability

Restart Required: Yes

Instructions:

1. Download GoAnywhere MFT version 7.4.1 from Fortra's customer portal. 2. Backup current configuration and data. 3. Stop GoAnywhere services. 4. Install the update following vendor instructions. 5. Restart services and verify functionality.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict network access to GoAnywhere MFT administration interface to trusted IP addresses only.

# Configure firewall rules to allow only specific source IPs to port 8000/tcp (admin port)

Disable Admin Port

all

Temporarily disable the administrative web interface if not actively needed.

# In GoAnywhere configuration, set admin.port=0 or disable the admin service

🧯 If You Can't Patch

Implement strict network segmentation to isolate GoAnywhere MFT from critical systems
Enforce multi-factor authentication and strong password policies for all administrative accounts

🔍 How to Verify

Check if Vulnerable:

Check GoAnywhere MFT version via admin interface or by examining installation files. Versions below 7.4.1 are vulnerable.

Check Version:

# On Linux: cat /opt/goanywhere/version.txt or check admin interface

Verify Fix Applied:

Verify version is 7.4.1 or higher in the admin interface under Help > About.

📡 Detection & Monitoring

Log Indicators:

Unusual authentication attempts to admin interface
Suspicious command execution in system logs
Unexpected process creation from GoAnywhere service

Network Indicators:

Unusual outbound connections from GoAnywhere server
Traffic to known malicious IPs from GoAnywhere system

SIEM Query:

source="goanywhere.logs" AND (event="authentication_failure" OR event="command_execution") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2023-25915

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-20

Published: August 21, 2023

Last Updated: January 17, 2025

🔗 References

https://csirt.divd.nl/CVE-2023-25915 Third Party Advisory
https://csirt.divd.nl/DIVD-2023-00025 Third Party Advisory
https://csirt.divd.nl/CVE-2023-25915 Third Party Advisory
https://csirt.divd.nl/DIVD-2023-00025 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-25915, you might also want to check these: