← back
CVE-2023-0669

Fortra GoAnywhere MFT License Response Servlet Command Injection

CVSS 7.2 HIGHEPSS 100.0%● KEVCWE-502
In short

Fortra GoAnywhere MFT has a flaw that lets attackers run commands on the server before logging in, by sending specially crafted data that tricks the software into executing malicious code. This is dangerous because anyone on the network can exploit it without needing a password.

Technical detail

The vulnerability exists in the License Response Servlet where untrusted serialized Java objects are deserialized without proper validation, allowing pre-authentication remote code execution. An unauthenticated attacker can exploit this by sending a malicious serialized object to execute arbitrary commands with the application's privileges. Patched in version 7.1.2.

Summary generated and translated by AI from the official description.
Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. This issue was patched in version 7.1.2.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected products
Fortra · Goanywhere MFT
public PoCs found9
githubgithub.com/0xf4n9x/CVE-2023-0669103githubgithub.com/Avento/CVE-2023-06698githubgithub.com/yosef0x01/CVE-2023-0669-Analysis7githubgithub.com/zakaria-laouani/cve-2023-0669-simulation0githubgithub.com/cataliniovita/CVE-2023-06690githubgithub.com/Griffin-01/CVE-2023-06690exploitdbwww.exploit-db.com/exploits/51339unverifiedcve_referencegithub.com/rapid7/metasploit-framework/pull/17607unverifiedcve_referencepacketstormsecurity.com/files/171789/Goanywhere-Encryption-Helper-7.1.1-Remote-Code-Execution.htmlunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/171789/Goanywhere-Encryption-Helper-7.1.1-Remote-Code-Execution.htmlhttps://attackerkb.com/topics/mg883Nbeva/cve-2023-0669/rapid7-analysishttps://duo.com/decipher/fortra-patches-actively-exploited-zero-day-in-goanywhere-mfthttps://frycos.github.io/vulns4free/2023/02/06/goanywhere-forgotten.htmlhttps://github.com/rapid7/metasploit-framework/pull/17607https://infosec.exchange/@briankrebs/109795710941843934https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml#zerodayfeb1https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-0669https://www.rapid7.com/blog/post/2023/02/03/exploitation-of-goanywhere-mft-zero-day-vulnerability/