CVE-2023-0669 Explained: GoAnywhere MFT Pre-Authentication RCE and the Cl0p Zero-Day Campaign
A zero-day pre-authentication remote code execution vulnerability in Fortra GoAnywhere MFT that the Cl0p ransomware group exploited against over 130 organisations before the vendor issued an advisory. How a managed file transfer product became one of the most impactful enterprise vulnerabilities of 2023.
CVE-2023-0669 is a pre-authentication remote code execution vulnerability in Fortra GoAnywhere MFT — a managed file transfer platform used by thousands of enterprises, government agencies, and healthcare organisations to securely transfer sensitive files. The Cl0p ransomware group exploited it as a zero-day beginning approximately January 18, 2023, operating for ten days before Fortra issued any advisory. Cl0p claimed over 130 victim organisations, making CVE-2023-0669 one of the highest-volume single-vulnerability ransomware campaigns of 2023.
The vulnerability exists in the GoAnywhere administrative console's license validation endpoint — a Java deserialization attack that allows unauthenticated code execution. The CVSS score of 7.2 reflects that the admin console is not meant to be internet-accessible, but widespread exposure of the admin interface meant many organisations were directly reachable from the public internet.
How CVE-2023-0669 Works: Java Deserialization in the License Endpoint
GoAnywhere MFT is a Java web application. Its administrative console — typically hosted on ports 8000 or 8001 — handles system configuration, user management, and license validation. The license validation endpoint accepts serialized Java object input, which it deserializes to process license data.
Java deserialization vulnerabilities arise when an application deserializes untrusted data without first validating the object type being deserialized. An attacker constructs a specially crafted serialized Java object (a 'gadget chain') that, when deserialized, executes arbitrary code as a side effect of the object's construction or method invocations.
In CVE-2023-0669, the attacker sends a crafted serialized object to the GoAnywhere license endpoint. The Java deserialization process triggers a gadget chain (typically using widely available gadget libraries like Apache Commons Collections) that executes OS commands. Because the administrative console process runs with elevated permissions — necessary for file transfer operations — the resulting code execution is highly privileged.
Identify internet-exposed GoAnywhere admin consoles
Scan for GoAnywhere MFT admin consoles on ports 8000 and 8001. The console login page is identifiable by its banner and SSL certificate. Cl0p used automated scanning to identify vulnerable instances across the internet.
Send crafted serialized Java object to license endpoint
POST a malicious serialized Java object payload to the GoAnywhere license validation endpoint. No authentication credentials are required. The payload contains a deserialization gadget chain targeting Java libraries present in the GoAnywhere classpath.
Gadget chain executes OS commands
The GoAnywhere server deserializes the object. The gadget chain triggers, executing OS commands as the GoAnywhere service process user — typically with privileges sufficient to read all file transfer data and system configuration.
Deploy DEWMODE web shell
Cl0p deployed DEWMODE — a PHP-based web shell — to maintain persistent access to compromised GoAnywhere instances. DEWMODE provides command execution and file access via HTTP, surviving GoAnywhere service restarts.
Exfiltrate managed file transfer data
Access file transfer logs, stored credentials, and all files transferred through the GoAnywhere system. GoAnywhere MFT handles sensitive data — financial records, HR data, healthcare records, legal documents — making exfiltration highly valuable for extortion.
Cl0p's MFT Campaign Strategy
CVE-2023-0669 was not an isolated opportunistic attack — it was part of a deliberate Cl0p strategy to target managed file transfer platforms as a high-value attack class. MFT systems are repositories of sensitive data transacted between organisations: payroll files, healthcare records, financial statements, legal documents, and regulated data of every category.
Cl0p exploited CVE-2023-0669 in GoAnywhere in early 2023 and CVE-2023-34362 in MOVEit Transfer in May 2023 — two separate MFT zero-days in the same year. The pattern is the same: exploit a pre-authentication vulnerability in the MFT platform, exfiltrate everything in the file transfer store, and extort victims with the threat of public release rather than encrypting files.
This 'data theft extortion' model — steal and threaten, don't encrypt — is operationally advantageous because it eliminates the operational complexity of ransomware deployment while maintaining the extortion leverage. It also means victims must evaluate breach notification obligations even if no encryption occurred, creating regulatory pressure that incentivises payment.
Confirmed CVE-2023-0669 victims illustrate the breadth of sensitive data at risk: Hitachi (industrial data), Procter & Gamble (corporate financial data), Rubrik (cybersecurity vendor internal data), Community Health Systems (healthcare records), Hatch Bank (financial records), and the City of Toronto (government records).
“Cl0p claims to have stolen data from more than 130 organisations via GoAnywhere MFT, asserting it operated exclusively within the enterprise networks for 10 days before the vendor issued any notification.”
— Bleeping Computer, March 2023
Patching and Fully Remediating CVE-2023-0669
Patching GoAnywhere closes the deserialization attack path. Post-patch remediation for organisations with internet-exposed admin consoles during the exploitation window must include compromise investigation.
Upgrade GoAnywhere MFT to 7.1.2 or later
The patch is in GoAnywhere MFT 7.1.2, released February 7, 2023. Apply via the upgrade mechanism in the GoAnywhere admin console or by downloading from the Fortra support portal. Verify the running version in System > About.
Restrict admin console to non-internet-accessible networks immediately
The GoAnywhere admin console (ports 8000, 8001) should only be reachable from internal management networks — never the public internet. Apply firewall rules blocking external access to these ports regardless of whether you have patched. This eliminates the remote attack surface for this and future vulnerabilities.
Search for DEWMODE web shell and Cl0p indicators
Check the GoAnywhere web directory for DEWMODE — a PHP web shell dropped during exploitation. File locations vary by deployment. Also search for unexpected .php files in web-accessible directories. Review scheduled tasks and startup scripts for persistence mechanisms added during the exploitation window.
Audit all file transfer activity during the exploitation window
Review GoAnywhere transfer logs for the period January 18 – February 7, 2023. Identify all files transferred during this window. Assess whether any transferred data constitutes a breach under applicable regulations (HIPAA, GDPR, PCI-DSS, state breach notification laws). Document and preserve logs for regulatory notification purposes.
Rotate all credentials stored in or accessible to GoAnywhere
GoAnywhere stores connection credentials for trading partner systems, cloud storage endpoints, SFTP servers, and internal systems. Rotate all stored credentials. Also rotate the GoAnywhere admin console credentials, database credentials, and any API keys used for integration.
The bottom line
CVE-2023-0669 and the Cl0p GoAnywhere campaign represent a maturation of ransomware tactics: instead of deploying encryptors and extorting for decryption keys, Cl0p exfiltrated data from a platform specifically designed to transfer sensitive files between organisations and extorted victims with the threat of public release. The economics are better — no decryption infrastructure to maintain, no encryption failure risk — and the leverage is equivalent.
The GoAnywhere attack is also a reminder that the CVSS score is not the risk score. A 7.2 CVSS because the admin console 'shouldn't' be internet-accessible is cold comfort when 130 confirmed organisations had their file transfer data exfiltrated. Real-world deployment frequently diverges from vendor security guidance, and threat actors know this.
If your organisation uses GoAnywhere MFT and had the admin console internet-accessible prior to February 7, 2023, treat it as a confirmed breach for the purposes of incident response and regulatory notification planning. The 10-day window was enough time for Cl0p to exfiltrate everything they wanted.
Frequently asked questions
What is CVE-2023-0669?
CVE-2023-0669 is a pre-authentication remote code execution vulnerability in Fortra GoAnywhere MFT. The vulnerability is in the GoAnywhere administrative console — a Java web application — and allows an unauthenticated attacker to execute arbitrary code by exploiting a Java deserialization flaw in the license check endpoint. The administrative console is typically exposed on ports 8000 or 8001.
Why is the CVSS score 7.2 if it is pre-authentication RCE?
The CVSS 7.2 score reflects that the administrative console requires network access from a non-internet-facing segment in a default secure deployment — reducing the Network scope from fully external to adjacent. Many organisations had the admin console internet-accessible contrary to Fortra's recommendations, which is why exploitation was so widespread. The CVSS score significantly understates the real-world risk for organisations with internet-exposed admin interfaces.
How many organisations were affected by CVE-2023-0669?
Cl0p claimed over 130 organisations were compromised via CVE-2023-0669 in their 10-day zero-day window. Confirmed victims include Community Health Systems, Hatch Bank, Hitachi, Procter & Gamble, Rubrik, the City of Toronto, the Government of Nova Scotia, Crown Resorts, and multiple others. The actual count may be higher as some victims did not publicly disclose.
Was CVE-2023-0669 a zero-day?
Yes. Cl0p began exploiting CVE-2023-0669 around January 18, 2023. Fortra issued a limited security advisory on February 1, 2023 — 14 days into exploitation — and released the patch (GoAnywhere MFT 7.1.2) on February 7, 2023. The patch was not publicly announced until then, giving Cl0p a multi-week window of exclusive exploitation.
How do I fix CVE-2023-0669?
Upgrade GoAnywhere MFT to version 7.1.2 or later. If upgrade is not immediately possible, restrict or disable access to the administrative console from untrusted networks. After patching, investigate for Cl0p implants: look for the DEWMODE web shell variant documented in GoAnywhere compromises, new scheduled tasks, unexpected outbound connections, and exfiltrated file transfer logs indicating what data was accessed.
Is CVE-2023-0669 the same as the MOVEit vulnerability?
No. CVE-2023-0669 (GoAnywhere MFT) and CVE-2023-34362 (MOVEit Transfer) are separate vulnerabilities in competing managed file transfer products. Both were exploited by Cl0p as zero-days in 2023 in separate campaigns. Cl0p targeted MFT platforms systematically in 2023 due to the high value of the data they process. If your organisation uses both products, both require separate investigation.
Sources & references
- NVD
- Fortra GoAnywhere Security Advisory
- CISA Known Exploited Vulnerabilities Catalog
- Bleeping Computer — Cl0p ransomware claims 130 victims GoAnywhere
- Huntress — GoAnywhere MFT CVE-2023-0669 Exploitation Analysis
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.