virus logo Threat Signal Report

GoAnywhere MFT RCE Vulnerability (CVE-2023-0669) Actively Exploited

Description

FortiGuard Labs is aware of a report that a remote code execution (RCE) vulnerability in the GoAnywhere MFT (Managed File Transfer) tool (CVE-2023-0669) is being actively exploited in the wild. The Cl0p ransomware threat actor reportedly claimed to have leveraged the vulnerability to compromise vulnerable GoAnywhere MFT servers and steal data from over 130 organizations. FortiGuard Labs has an Outbreak Alert writeup page that contains additional information on CVE-2023-0669 which contains a comprehensive list of protections and can be found here.


Why is this Significant?

This is significant because a RCE vulnerability in the GoAnywhere MFT tool (CVE-2023-0669) is being actively exploited in the wild. The Cl0p ransomware group allegedly exploited the vulnerability and stole data from multiple organizations for financial extortion.


On February 10, 2023, CISA (Cybersecurity and Infrastructure Security Agency) added CVE-2023-0669 to the Known Exploited Vulnerabilities catalog.


A patch is available in version 7.1.2 and should be applied as soon as possible.


What is GoAnywhere MFT?

GoAnywhere MFT is a tool developed by Fortra that allows organizations to centralize, control and streamline internal and external file transfers.


What is CVE-2023-0669?

CVE-2023-0669 is a command injection vulnerability in GoAnywhere MFT and affects version 7.1.1 and prior. Successful exploitation of the vulnerability allows attackers to gain remote code execution on vulnerable GoAnywhere MFT.


The vulnerability has a CVSS score of 7.2.


Has the Vendor Released an Advisory for What is CVE-2023-0669?

Fortra released the advisory in their customer portal. See the Appendix for a link to "Security Advisory" (note that login is required to access the advisory).


Has the Vendor Released a Patch for CVE-2023-0669?

Yes. Fortra released a patch in version 7.1.2 on February 13, 2023.


Any Mitigation?

Fortra provided mitigation methods in the advisory. For details, see the Appendix for a link to "Security Advisory" (note that a login is required to access the advisory).


What is the Status of Protection?

FortiGuard Labs released the following IPS signature in version 22.495for CVE-2023-0669:

  • Fortra.GoAnywhere.MFT.LicenseResponseServlet.Command.Injection (default action is set to "pass" - please adjust to 'block' for active protection)

description-logoOutbreak Alert

Fortra (formerly, knowns as HelpSystems) GoAnywhere MFT contains a pre-authentication remote code execution vulnerability in the License Response Servlet.

View the full Outbreak Alert Report

Telemetry

Appendix

Security Advisory (Fortra) – note that login is required to access the advisory

Known Exploited Vulnerabilities catalog (CISA)

Outbreak Alert: Fortra GoAnywhere MFT RCE Vulnerability (Fortinet)

Clop ransomware claims it breached 130 orgs using GoAnywhere zero-day (BleepingComputer)


ID 15
Date Feb 16, 2023
Outbreak Alert GoAnywhere MFT RCE
CVE ID CVE-2023-0669
Threat/
Vulnerability		 Vulnerability
FortiGate Device Triggered n/a
Threat Actor Type Unknown
Experienced a Breach? We're here to help FortiGuard Incident Response Services
FortiGuard Incident Response Services
Outbreak Alert Outbreak Alert