Kevin Beaumont

**Name of the Vulnerable Software and Affected Versions** Fortra GoAnywhere MFT versions prior to 7.1.2 **Description** Fortra GoAnywhere MFT is susceptible to a pre-authentication command injection due to the deserialization of attacker-controlled objects within the License Response Servlet. The Clop ransomware group actively exploited this issue, identified as CVE-2023-0669, to steal data from over 130 organizations within a ten-day period. The vulnerability allows attackers to execute arbitrary code by sending a POST request to the `/goanywhere/lic/accept` endpoint with a malicious object. The exploitation of this vulnerability has been linked to TA505 and the Clop ransomware group, mirroring tactics used in previous attacks against Accellion FTA in 2021. The vulnerability requires the administrative functions to be exposed over the internet, typically on ports 8000/tcp and 8001/tcp/tls. **Recommendations** Update Fortra GoAnywhere MFT to version 7.1.2 or later. Restrict access to the administrative console to prevent external access. As a temporary workaround, consider disabling the License Response Servlet until a patch can be applied. Monitor network traffic and logs for suspicious activity related to the `/goanywhere/lic/accept` endpoint.