Cyber Resilience

CVE-2023-0669

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linkedRCE

Published: 06 February 2023

Published
06 February 2023
Modified
03 November 2025
KEV Added
10 February 2023
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 1.0000 100.0th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2023-0669 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Fortra Goanywhere Managed File Transfer. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Fortra GoAnywhere MFT contains a pre-authentication command injection vulnerability in the License Response Servlet that stems from deserializing an arbitrary attacker-controlled object, corresponding to CWE-502. The flaw affects the product prior to the patch release in version 7.1.2 and carries a CVSS 3.1 score of 7.2.

An attacker with network access can supply a malicious serialized object to the servlet without prior authentication, resulting in remote code execution that grants full control over the confidentiality, integrity, and availability of the affected system. Public exploit code, including a Metasploit module, has been released to leverage the deserialization path.

Vendor guidance and multiple security advisories state that upgrading to GoAnywhere MFT 7.1.2 eliminates the vulnerability; organizations are advised to apply the update promptly given confirmed active exploitation in the wild shortly after disclosure.

The associated EPSS score has reached a peak of 0.9722 with a current value of 0.9438, and public references document real-world attacks together with readily available proof-of-concept tools.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. This issue was patched in version 7.1.2.

CWE(s)
KEV Date Added
10 February 2023

Related Threats

Threat-Actor AttributionAI

Cl0p (G0092)aka TA505
Cl0p ransomware mass-exploited GoAnywhere MFT zero-day starting Jan 2023 (CISA AA23-158A, Mandiant, Rapid7).

CVEs Like This One

CVE-2025-10035Same product: Fortra Goanywhere Managed File Transferboth on KEV
CVE-2025-14362Same product: Fortra Goanywhere Managed File Transfer
CVE-2025-54309Same product class: managed file transferboth on KEV
CVE-2023-34362Same product class: managed file transferboth on KEV
CVE-2014-0160Same product class: managed file transferboth on KEV
CVE-2025-8875Shared CWE-502both on KEV
CVE-2025-53690Shared CWE-502both on KEV
CVE-2025-59287Shared CWE-502both on KEV
CVE-2025-26399Shared CWE-502both on KEV
CVE-2025-53770Shared CWE-502both on KEV

Affected Assets

fortra
goanywhere managed file transfer
≤ 7.1.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all input (including serialized objects) to the License Response Servlet before deserialization, blocking the attacker-controlled object that leads to RCE.

prevent

Enforces that the License Response Servlet may only be reached or perform dangerous operations after successful identification and authorization, eliminating the pre-authentication attack path.

prevent

Mandates prompt application of the vendor patch (v7.1.2) that removes the unsafe deserialization code path in the affected servlet.

References