PoC Exploit For GoAnywhere MFT 0-Day Flaw (CVE-2023-0669) Published Online

CVE-2023-0669

On Monday, security researcher Florian Hauser of IT security consulting firm Code White released proof-of-concept (PoC) exploit code for a new zero-day vulnerability affecting Fortra’s GoAnywhere MFT managed file transfer application that, if successfully exploited, could allow an unauthenticated attacker to take control of a targeted system.

Tracked as CVE-2023-0669, the flaw is described as a remote code injection that requires access to the administrative console of the application.

GoAnywhere MFT is a secure file transfer solution that organizations use to exchange their data safely. The solution helps organizations automate their data transfers, centralize file transfer activity, and monitor file transfers and user access.

A Zero-Day Remote Code Injection exploit was identified in GoAnywhere MFT,” warns the GoAnywhere security advisory.

​Fortra says that “the attack vector of this exploit requires access to the administrative console of the application, which in most cases is accessible only from within a private company network, through VPN, or by allow-listed IP addresses (when running in cloud environments, such as Azure or AWS).

Image: Kevin Beaumont

Security researcher Kevin Beaumont scanned the Internet to find the list of vulnerable systems using Shodan, there are over 1,000 on-premise instances, but just 140 are on ports 8000 and 8001 (the ones used by the vulnerable admin console).

The Fortra advisory Krebs quoted advises GoAnywhere MFT customers to review all administrative users and monitor for unrecognized usernames, especially those created by system,” Rapid7 researcher Caitlin Condon said.

The logical deduction is that Fortra is likely seeing follow-on attacker behavior that includes the creation of new administrative or other users to take over or maintain persistence on vulnerable target systems.

At present, there is no patch currently available for the CVE-2023-0669 vulnerability, but Fortra recommends users to implementing access controls to allow access to the GoAnywhere MFT administrative interface only from trusted sources or disable the licensing service. Also, the company did share indicators of compromise (IOCs), which include the presence of compromised systems in the logs.