CVE-2023-0669 High Patch Available

CVE-2023-0669: GoAnywhere MFT — Pre-Auth Remote Code Execution

Vuln Brief Research Team · · CVSS 7.2

CVE Details

CVE ID CVE-2023-0669
CVSS Score 7.2
Severity High
Vendor Fortra (formerly HelpSystems)
Product GoAnywhere MFT
Patch Status Available
Published March 14, 2026

Background

GoAnywhere MFT (Managed File Transfer) is an enterprise-grade secure file transfer solution developed by Fortra (formerly HelpSystems). It is widely deployed in healthcare, financial services, and government sectors for automating secure file exchange with partners, customers, and regulatory bodies. GoAnywhere supports SFTP, FTPS, AS2, and other secure transfer protocols, and is often configured to handle sensitive data including healthcare records, financial transactions, and regulated documents.

CVE-2023-0669 is a pre-authentication remote code execution vulnerability in GoAnywhere MFT’s administrative web interface, exploited as a zero-day by the Cl0p ransomware group. Despite its CVSS 7.2 score (High rather than Critical, reflecting the management interface exposure requirement), the real-world impact was severe: Cl0p exploited it to compromise over 130 organisations in a coordinated campaign before Fortra released a patch.

Technical Mechanism

CVE-2023-0669 is a Java deserialization vulnerability in GoAnywhere MFT’s administrative interface. The vulnerability exists in the /goanywhere/lic/accept endpoint, which processes license acceptance requests.

Java deserialization vulnerabilities arise when Java’s ObjectInputStream.readObject() is called on untrusted data. Java’s native serialization format supports arbitrary object graph reconstruction — when combined with “gadget chains” (sequences of existing classes that produce dangerous side effects when instantiated via deserialization), this enables arbitrary code execution.

GoAnywhere’s license acceptance endpoint deserialises user-supplied data without restricting permitted classes. An attacker can send a crafted serialized Java object that contains a gadget chain from common libraries (such as Apache Commons Collections, Apache Commons BeanUtils, or Spring Framework) present in GoAnywhere’s classpath:

POST /goanywhere/lic/accept HTTP/1.1
Host: goanywhere.target.com:8001
Content-Type: application/x-java-serialized-object

[Binary serialized Java gadget chain payload]

Common Java deserialization gadget chains used:

  • CommonsCollections (CC) gadgets: Various chains using Apache Commons Collections that ultimately call Runtime.exec() or ProcessBuilder
  • Spring gadgets: Chains using Spring Framework classes
  • OGNL/Groovy evaluation: Gadget chains that evaluate arbitrary expression language

The exploit targeting GoAnywhere typically uses a gadget chain that executes an OS command via Runtime.exec(), which runs in the context of the GoAnywhere application server (typically a Java EE container like Tomcat or the embedded GoAnywhere server), usually running as a dedicated service account.

The administrative interface running on port 8001 (or the configured admin port) is technically not intended for internet exposure, but many GoAnywhere deployments had this port accessible from broader network ranges or the internet.

Real-World Exploitation Evidence

Cl0p ransomware group exploited CVE-2023-0669 as a zero-day in January–February 2023:

  • Zero-day timeline: Cl0p exploited the vulnerability beginning around January 18, 2023 — more than six weeks before Fortra publicly disclosed the vulnerability on February 3, 2023.
  • 130+ victim organisations: Cl0p claimed to have compromised over 130 organisations using this vulnerability. Confirmed victims included Community Health Systems (healthcare, 1 million patients’ data), Rubrik, Hitachi Energy, and multiple financial sector organisations.
  • Data exfiltration focus: Similar to the later MOVEit campaign, Cl0p focused on stealing data rather than deploying encryption ransomware, then extorted victims via data publication threats.
  • Coordinated disclosure: The long exploitation window before disclosure is a hallmark of Cl0p’s zero-day acquisition and use methodology — the group appears to acquire or develop zero-days specifically for MFT platforms to maximise data theft potential.

Impact Assessment

GoAnywhere MFT compromise provides:

  • Access to all managed transfers: GoAnywhere handles file transfers including sensitive data; an attacker with server access can access all stored and in-transit files.
  • Transfer endpoint credentials: GoAnywhere stores credentials for all configured trading partner connections (SFTP, FTPS, AS2 keys/certificates).
  • Workflow automation access: GoAnywhere’s workflow/scripting features allow automated actions; these can be hijacked for persistence or further attacks.
  • Downstream partner impact: Organisations sharing data with the compromised GoAnywhere server may also have their data exposed.

Affected Versions

ProductAffected VersionsFixed Version
GoAnywhere MFTAll versions < 7.1.27.1.2+

The vulnerability affects GoAnywhere MFT deployments where the administrative interface (default port 8001) is accessible from untrusted networks.

Remediation Steps

  1. Apply patch: Upgrade to GoAnywhere MFT 7.1.2 or later immediately.

  2. Interim mitigation — restrict admin interface access:

    # Block external access to GoAnywhere admin port (default 8001)
# via firewall rule or network ACL
iptables -I INPUT -p tcp --dport 8001 -j DROP
# Allow only from management network:
iptables -I INPUT -s 10.0.0.0/8 -p tcp --dport 8001 -j ACCEPT

  3. Check for Indicators of Compromise:

    • Review GoAnywhere system logs for access to /goanywhere/lic/accept from external IPs
    • Check for unexpected files in GoAnywhere’s file storage directories
    • Review GoAnywhere user accounts for unexpected additions

  4. Audit all transfer configurations: Verify all configured trading partner connections and credentials; rotate credentials for connections to high-value systems.

  5. Review admin account creation: Check if any accounts were created or modified during the exploitation window.

Detection Guidance

Log sources:

  • GoAnywhere application logs: <install_dir>/userdata/logs/
  • Web server access logs for the admin interface port
  • Java application server logs

Suspicious patterns:

POST /goanywhere/lic/accept
Content-Type: application/x-java-serialized-object

Java deserialization detection:

  • HTTP requests with Content-Type: application/x-java-serialized-object
  • HTTP request bodies starting with hex bytes aced0005 (Java serialization magic)

Suricata signature:

alert tcp $EXTERNAL_NET any -> $HOME_NET 8001 (msg:"GoAnywhere MFT CVE-2023-0669 Java Deserialization Exploit"; flow:established,to_server; content:"POST"; depth:4; content:"/goanywhere/lic/accept"; content:"|ac ed 00 05|"; sid:9002306; rev:1;)

Timeline

DateEvent
January 18, 2023Cl0p begins zero-day exploitation (estimated)
February 1, 2023Fortra notifies customers via private advisory
February 3, 2023Fortra releases GoAnywhere 7.1.2 (patch); limited public advisory
February 6, 2023Krebs on Security publishes details, increasing public awareness
February 7, 2023CISA adds CVE-2023-0669 to KEV catalogue
March 2023Cl0p publicly claims 130+ victim organisations
March–April 2023Individual victim organisations confirm breaches

Tags

fortragoanywheremanaged-file-transferrcepre-authcl0pzero-daycisa-kev

Related Analysis

CVE-2024-1708 Critical

CVE-2024-1708: ConnectWise ScreenConnect Path Traversal — RMM Tools as Attack Vectors

ConnectWise

CVE-2026-0300 Critical

CVE-2026-0300: Palo Alto PAN-OS Out-of-Bounds Write Leads to Root RCE on Firewalls

Palo Alto Networks

CVE-2026-20182 Critical

CVE-2026-20182: Cisco Catalyst SD-WAN Authentication Bypass — Unauthenticated Admin Access

Cisco