CVE-2023-0669
Published: 06 February 2023
Summary
CVE-2023-0669 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Fortra Goanywhere Managed File Transfer. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Fortra GoAnywhere MFT contains a pre-authentication command injection vulnerability in the License Response Servlet that stems from deserializing an arbitrary attacker-controlled object, corresponding to CWE-502. The flaw affects the product prior to the patch release in version 7.1.2 and carries a CVSS 3.1 score of 7.2.
An attacker with network access can supply a malicious serialized object to the servlet without prior authentication, resulting in remote code execution that grants full control over the confidentiality, integrity, and availability of the affected system. Public exploit code, including a Metasploit module, has been released to leverage the deserialization path.
Vendor guidance and multiple security advisories state that upgrading to GoAnywhere MFT 7.1.2 eliminates the vulnerability; organizations are advised to apply the update promptly given confirmed active exploitation in the wild shortly after disclosure.
The associated EPSS score has reached a peak of 0.9722 with a current value of 0.9438, and public references document real-world attacks together with readily available proof-of-concept tools.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-0644
Vulnerability details
Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. This issue was patched in version 7.1.2.
- CWE(s)
- KEV Date Added
- 10 February 2023
Related Threats
Threat-Actor AttributionAI
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all input (including serialized objects) to the License Response Servlet before deserialization, blocking the attacker-controlled object that leads to RCE.
Enforces that the License Response Servlet may only be reached or perform dangerous operations after successful identification and authorization, eliminating the pre-authentication attack path.
Mandates prompt application of the vendor patch (v7.1.2) that removes the unsafe deserialization code path in the affected servlet.