• Language chooser
    • USA (English)
    • France (Français)

virus logo Outbreak Alert

Fortra GoAnywhere MFT RCE Vulnerability

Released: Feb 14, 2023

Updated: Feb 14, 2023

Download PDF »

GoAnywhere MFT RCE

High Severity

Fortra Vendor

Vulnerability Type

Zero-day exploited in the wild

Fortra (formerly, knowns as HelpSystems) GoAnywhere MFT contains a pre-authentication remote code execution vulnerability in the License Response Servlet. Learn More »

Common Vulnerabilities and Exposures

CVE-2023-0669

Background

GoAnywhere MFT is a secure managed file transfer solution that streamlines the exchange of data between systems, employees, customers, and trading partners. The security flaw CVE-2023-0669, enables attackers to gain remote code execution on unpatched GoAnywhere MFT. According to the Fortra advisory, the exploit requires public internet access to the administrative console of the application.

Threat Radar Overall Score:
CVSS Rating 7.0
FortiRecon Score 92/100
Known Exploited Yes
Exploit Prediction Score 96.97%
FortiGuard Telemetry 45

Latest Development

Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.


February 1, 2023: Fortra posted a security advisory: https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml#zerodayfeb1
February 7, 2023: Fortra released a patch (7.1.2) to address this actively exploited vulnerability.


February 10, 2023: Clop ransomware was linked to breaching about 130 organisations using GoAnywhere zero-day and has claimed responsibility to bleeping computer. https://www.bleepingcomputer.com/news/security/clop-ransomware-claims-it-breached-130-orgs-using-goanywhere-zero-day/

February 10, 2023: CISA added the CVE-2023-0669 GoAnywhere MFT vulnerability to its Known Exploited Vulnerabilities Catalog.

FortiGuard Labs recommends updating the vulnerable versions of GoAnywhere MFT and patch to version 7.12 as mentioned in the advisory as soon as possible and has released an IPS signature to detect and block any attack relating to the flaw CVE-2023-0669.

FortiGuard Cybersecurity Framework

Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.


PROTECT

  • Vulnerability

  • IPS

DETECT
RESPOND

  • Automated Response

  • Assisted Response Services

RECOVER

  • InfoSec Services

IDENTIFY

  • Attack Surface Monitoring (Inside & Outside)

Threat Intelligence

Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.


Loading ...

Indicators of compromise Indicators of compromise
IOC Indicator List
Indicator Type Status
ekbgzchl6x2ias37.onion domain Active
unlock@rsv-box.com email Active
rsv-box.com domain Active
82.117.252.142 ip Active
92.118.36.210 ip Active
5.188.206.76 ip Active
88.214.27.100 ip Active
88.214.27.101 ip Active
138.197.152.201 ip Active
09d6dab9b70a74f61c41eaa485b37de9a40c86b6d2eae74... file Active
santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm... domain Active
0e3a14638456f4451fe8d76fdc04e591fba942c2f16da31... file Active
c042ad2947caf4449295a51f9d640d722b5a6ec6957523e... file Active
c9b874d54c18e895face055eeb6faa2da7965a336d70303... file Active
http://5.188.206.76:8000/se1.dll url Active
http://qweastradoc.com/gate.php url Active
qweastradoc.com domain Active
5.188.206.76:8000 ip Active
92.118.36.213 ip Active
82d4025b84cf569ec82d21918d641540 file Active
45.182.189.200 ip Active
45.182.189.228 ip Active
45.182.189.229 ip Active
148.113.152.144 ip Active
209.97.137.33 ip Active
89.39.105.108 ip Active
198.12.76.214 ip Active
209.222.103.170 ip Active
5.252.23.116 ip Active
5.252.25.88 ip Active
84.234.96.104 ip Active
79.141.160.78 ip Active
1285aa7e6ee729be808c46c069e30a9ee9ce34287151076... file Active
2c8d58f439c708c28ac4ad4a0e9f93046cf076fc6e5ab10... file Active
a8569c78af187d603eecdc5faec860458919349eef51091... file Active
d5bbcaa0c3eeea17f12a5cc3dbcaffff423d00562acb694... file Active
f2f08e4f108aaffaadc3d11bad24abdd625a77e0ee9674c... file Active
ff8c8c8bfba5f2ba2f8003255949678df209dbff95e16f2... file Active
http://198.199.74.207:1234/update.jsp url Active
support-multi.com domain Active
unlock@support-multi.com email Active
100.21.161.34 ip Active
104.200.72.149 ip Active
107.181.161.207 ip Active
141.101.68.154 ip Active
141.101.68.166 ip Active
142.44.212.178 ip Active
143.31.133.99 ip Active
148.113.159.146 ip Active
148.113.159.213 ip Active
15.235.83.73 ip Active
162.158.129.79 ip Active
166.70.47.90 ip Active
172.71.134.76 ip Active
173.254.236.131 ip Active
185.104.194.134 ip Active
185.117.88.2 ip Active
185.174.100.17 ip Active
185.33.86.225 ip Active
185.33.87.126 ip Active
185.80.52.230 ip Active
185.81.113.156 ip Active
195.38.8.241 ip Active
198.137.247.10 ip Active
198.199.74.207 ip Active
198.199.74.207:1234 ip Active
198.245.13.4 ip Active
20.47.120.195 ip Active
208.115.199.25 ip Active
209.222.98.25 ip Active
213.121.182.84 ip Active
216.144.248.20 ip Active
23.237.114.154 ip Active
23.237.56.234 ip Active
3.101.53.11 ip Active
44.206.3.111 ip Active
5.149.250.90 ip Active
5.149.252.51 ip Active
5.34.178.28 ip Active
5.34.178.30 ip Active
5.34.178.31 ip Active
5.34.180.48 ip Active
50.7.118.90 ip Active
54.184.187.134 ip Active
54.39.133.41 ip Active
68.156.159.10 ip Active
74.218.67.242 ip Active
76.117.196.3 ip Active
79.141.161.82 ip Active
79.141.173.94 ip Active
81.56.49.148 ip Active
82.117.252.141 ip Active
82.117.252.97 ip Active
91.222.174.68 ip Active
91.223.227.140 ip Active
92.118.36.249 ip Active
96.10.22.178 ip Active
96.44.181.131 ip Active
14.190.186.61 ip Active
14.244.239.227 ip Active