What is Fortra GoAnywhere MFT?
GoAnywhere MFT (Managed File Transfer) is an enterprise file transfer platform developed by Fortra (formerly HelpSystems) used by organizations in finance, healthcare, government, and critical infrastructure to automate and secure large-scale file transfers — including encrypted transfers to trading partners, cloud services, and internal systems. GoAnywhere processes sensitive business data such as financial records, healthcare files, and customer data. Its administrative console manages transfer workflows, credentials, and partner connections, making unauthorized access to the admin interface equivalent to data breach access for all connected systems and partners.
Overview
CVE-2023-0669 is a pre-authentication remote code execution vulnerability (CWE-502) in the GoAnywhere MFT License Response Servlet, exploitable by deserializing an attacker-controlled Java object without requiring valid credentials. Although the CVSS scores PR:H (high privilege required), this reflects the admin console's authentication requirement — the vulnerable endpoint was accessible without authentication in the normal sense, making it effectively pre-auth. Fortra issued a private advisory to customers in January 2023 and released a patch on February 1, 2023. The Cl0p ransomware group (TA505) mass-exploited the vulnerability before and shortly after public disclosure, claiming data theft from more than 130 organizations. CISA issued advisory AA23-158a documenting the campaign in June 2023.
Affected Versions
| Product | Affected | Fixed |
|---|---|---|
| GoAnywhere MFT | Prior to 7.1.2 | 7.1.2 |
Technical Details
The vulnerability is in GoAnywhere MFT's License Response Servlet — an endpoint used during the licensing workflow. The servlet deserializes a Java object from attacker-supplied HTTP request data without first validating that the object is of a safe type. Java deserialization of attacker-controlled data is exploitable via gadget chains present in the application's Java classpath: by crafting a malicious serialized Java object that triggers a known deserialization gadget (e.g., in Apache Commons Collections or similar libraries), an attacker causes the GoAnywhere JVM to execute arbitrary code when the object is deserialized.
The PR:H CVSS metric is somewhat misleading in practice — the License Response Servlet was accessible to unauthenticated attackers on the GoAnywhere admin interface port (typically 8000 or 8443), making exploitation require only network access to the admin port rather than valid admin credentials.
Discovery
The vulnerability was identified during active exploitation. Fortra notified registered customers with a private advisory on January 18, 2023, before public disclosure — but the vulnerability was already being exploited by Cl0p at that time. The CISA KEV addition on February 10, 2023 confirmed active exploitation.
Exploitation Context
Cl0p (also tracked as TA505, Snakefly, or GOLD TAHOE) is a Russian-linked cybercriminal group that has repeatedly targeted secure file transfer platforms as a high-yield source of sensitive data for extortion — repeating this pattern with MOVEit Transfer (CVE-2023-34362) in May–June 2023. The GoAnywhere campaign resulted in confirmed breaches at over 130 organizations including:
- Hatch Bank — customer PII and loan data
- Rubrik — cybersecurity firm's sales data and due diligence information
- Hitachi Energy — employee data
- City of Toronto — residents' personal data
- Ofcom (UK Communications Regulator) — regulatory data
Cl0p used the GoAnywhere access to exfiltrate data and demanded ransom payments to prevent publication — a double-extortion model. Organizations that refused had their data published on Cl0p's leak site.
Remediation
- Upgrade GoAnywhere MFT to version 7.1.2 or later — apply via Fortra's customer portal.
- Restrict admin interface access — the GoAnywhere admin console (ports 8000/8443 or custom) should never be accessible from the internet; restrict to internal management networks or VPN only.
- Audit file transfer logs for evidence of unauthorized access, unusual data exports, or connections from unexpected IP addresses during the exposure window.
- Check for webshells or unauthorized files in the GoAnywhere installation directory — Cl0p installed persistence mechanisms in some compromised instances.
- Rotate all credentials stored in GoAnywhere — connection credentials for partner endpoints, cloud services, and internal systems should be rotated if the server was accessible during the vulnerable period.
- Review CISA Advisory AA23-158a for Cl0p-specific indicators of compromise (IOCs) to determine if your environment was targeted.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2023-0669 |
| Vendor / Product | Fortra — GoAnywhere MFT |
| NVD Published | 2023-02-06 |
| NVD Last Modified | 2025-11-03 |
| CVSS 3.1 Score | 7.2 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-502 find similar ↗ |
| CISA KEV Added | 2023-02-10 |
| CISA KEV Deadline | 2023-03-03 |
| Known Ransomware Use | ⚠️ Yes |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2023-01-18 | Fortra issues private security advisory to registered customers disclosing the GoAnywhere vulnerability and providing a workaround |
| 2023-02-01 | Fortra releases GoAnywhere MFT 7.1.2 patching CVE-2023-0669 |
| 2023-02-06 | CVE-2023-0669 formally published |
| 2023-02-10 | CISA adds CVE-2023-0669 to the Known Exploited Vulnerabilities catalog |
| 2023-02 | Cl0p ransomware group (TA505) claims to have exploited GoAnywhere to steal data from 130+ organizations; public disclosure of campaign begins |
| 2023-03-03 | CISA BOD 22-01 remediation deadline |
| 2023-06-07 | CISA publishes advisory AA23-158a documenting Cl0p's GoAnywhere campaign with IOCs and mitigation guidance |
References
| Resource | Type |
|---|---|
| CISA Advisory AA23-158a — #StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-0669 | US Government |
| NVD — CVE-2023-0669 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |