Home / Threat Intelligence bulletins / Patch released for GoAnywhere MFT zero-day exploit

Target Industry

Indiscriminate, opportunistic targeting.


Severity Level – Low (CVSSv3 base score of 3.1): Compromise may result in the loss of confidentiality and integrity of data.

Fortra has released an emergency patch to address an actively exploited zero-day vulnerability within the GoAnywhere MFT secure file transfer platform. The vulnerability grants threat actors with the ability to implement a remote code execution on vulnerable GoAnywhere MFT instances, in which the administrative console is exposed online.

Fortra reported that:

“The attack vector of this exploit requires access to the administrative console of the application, which in most cases is accessible only from within a private company network, through VPN, or by allow-listed IP addresses.”

Shodan scans further revealed that there are close to 1,000 instances of the GoAnywhere tool exposed on the internet. However, only approximately 140 of these are currently reachable via ports 8000 and 8001, the default protocol channels through which the GoAnywhere administrator console communicates.


Successful exploitation of this vulnerability will allow a remote attacker to execute arbitrary code on the target system. The vulnerability exists due to an insecure input validation, whilst processing serialised data passed to the “/goanywhere/lic/accept” HTTP endpoint of the administrative web interface. A remote attacker can send a specially crafted HTTP request to the application and execute arbitrary code on the target system.

Vulnerability Detection

Fortra has released the required security patches for the vulnerability of the respective product version. As such, previous versions are vulnerable to potential exploits.

Affected Products

GoAnywhere MFT version 7.1.1 and below.

Containment, Mitigations & Remediations

Fortra has strongly advised that all GoAnywhere MFT clients apply patch 7.1.2 as soon as possible. This has been declared to be particularly urgent for customers that are running the administrator portal exposed to the internet. The security patch can be downloaded via the “Product Downloads” tab at the top of the GoAnywhere account page.

However, if the patch cannot be applied immediately, it is recommended that the company’s mitigation advice is adhered to. This requires implementing access controls to allow access to the administrator interface via trusted sources or disabling the licensing service. To disable the built-in and vulnerable licensing server, administrators have to either comment out or delete the servlet and servlet-mapping configurations for the License Response Servlet, in the web.xml file. This will disable the vulnerable endpoint. After implementing these modifications, the altered web.xml file should be saved. Finally, a restart is also required to apply the new configuration.

As a further precaution, Fortra has recommended that users determine whether or not they have stored credentials for other systems in the environment and to ensure that these credentials have been revoked. Such credentials include passwords and keys which are utilised to access any external systems which are integrated with the GoAnywhere platform.

If evidence of an attack exists within a network environment, Fortra recommends following the below protocol after the mitigation recommendations have been implemented:

– Rotate the Master Encryption Key
– Reset credentials for all external trading partners/systems
– Review audit logs and delete any suspicious administrator and/or web user accounts
– Contact support via the [portal](https://my.goanywhere.com/), email [email protected], or phone 402-944-4242 for further assistance.

Indicators of Compromise

The following log stacktrace, located within the userdata/logs/[system_name]-goanywhere.log, has been classified as an Indicator of Compromise for this exploit:

java.lang.RuntimeException: InvocationTargetException: java.lang.reflect.InvocationTargetException

at org.apache.commons.beanutils.BeanComparator.compare(BeanComparator.java:171)
at java.util.PriorityQueue.siftDownUsingComparator(PriorityQueue.java:721)

at java.util.PriorityQueue.siftDown(PriorityQueue.java:687)

at java.util.PriorityQueue.heapify(PriorityQueue.java:736)

at java.util.PriorityQueue.readObject(PriorityQueue.java:796)

Threat Landscape

The GoAnywhere MFT is ranked in the top tier of file transfer solutions as it pertains to the associated market share. Threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to spend their time on. As a result, file transfer solutions, such as GoAnywhere MFT, have become a prime target for threat actors. Due to the fact that file transfer platforms have become an integral aspect of both personal and business affairs, threat actors will continue to exploit vulnerabilities contained within the associated platforms in an attempt to extract the sensitive data contained therein.

Threat Group

The Clop ransomware group have been actively exploiting CVE-2023-0669 as method if implementing ransomware attacks on several target organisations. The ransomware gang operates by utilising the double, and sometimes the triple extortion, technique. This means that not only does the group encrypt the private data of the victim and demand a ransom for the keys, but they also threaten victims with the publication of the data on their own dark web site. This is likely designed to increase pressure on the victim and increase the chances of payment, as the publishing of data can cause future security concerns.

Due to the lack of detail contained within the Fortra advisory, no specific threat actors have been identified to have exploited this vulnerability at the time of writing.

Mitre Methodologies

Lateral movement:

T1210 – Exploitation of Remote Services

Further Information

Bleeping Computer Article
RiskyBiz News Report
Zero-Day Details

Intelligence Terminology Yardstick