HIGH🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2023-0669

CVSS 7.2v3.1pub. 2023-02-06upd. 2025-11-03

Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. This issue was patched in version 7.1.2.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
  • Fortra Goanywhere Managed File Transfer

    APP
    Fortra
    < 7.1.2

CISA KEV — detailsi

Vendori
Fortra
Producti
GoAnywhere MFT
Added to KEVi
February 10, 2023
Remediation deadline (US Federal)i
March 3, 2023(overdue)
Ransomwarei
Active ransomware campaigns exploit this vulnerability
Required action (CISA)i

Apply updates per vendor instructions.

CISA descriptioni

Fortra (formerly, HelpSystems) GoAnywhere MFT contains a pre-authentication remote code execution vulnerability in the License Response Servlet due to deserializing an attacker-controlled object.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
☠️WYKORZYSTYWANE W RANSOMWARECISA DEADLINE: 3 marca 2023
Tags
Deserialization
CWE
References

Related vulnerabilities

CVE-2025-10035CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Deserialization i command injection w Fortra GoAnywhere MFT (License Servlet)

CVE-2024-0204CRITICAL9.8PL ✓ten sam produkt

Pominięcie uwierzytelniania w Fortra GoAnywhere MFT — tworzenie konta admina

CVE-2025-14362HIGH7.3ten sam produkt

The login limit is not enforced on the SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User...

CVE-2025-1241MEDIUM5.8ten sam produkt

Encrypted values in Fortra's GoAnywhere MFT prior to version 7.10.0 and GoAnywhere Agents prior to version 2.2...

CVE-2026-0971MEDIUM4.3ten sam produkt

An improper session timeout issue in Fortra's GoAnywhere MFT prior to version 7.10.0 results in SAML configure...