Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. This issue was patched in version 7.1.2.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HFortra Goanywhere Managed File Transfer
APPFortra< 7.1.2
CISA KEV — detailsi
- Vendori
- Fortra
- Producti
- GoAnywhere MFT
- Added to KEVi
- February 10, 2023
- Remediation deadline (US Federal)i
- March 3, 2023(overdue)
- Ransomwarei
- Active ransomware campaigns exploit this vulnerability
Apply updates per vendor instructions.
Fortra (formerly, HelpSystems) GoAnywhere MFT contains a pre-authentication remote code execution vulnerability in the License Response Servlet due to deserializing an attacker-controlled object.
Related vulnerabilities
Deserialization i command injection w Fortra GoAnywhere MFT (License Servlet)
Pominięcie uwierzytelniania w Fortra GoAnywhere MFT — tworzenie konta admina
The login limit is not enforced on the SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User...
Encrypted values in Fortra's GoAnywhere MFT prior to version 7.10.0 and GoAnywhere Agents prior to version 2.2...
An improper session timeout issue in Fortra's GoAnywhere MFT prior to version 7.10.0 results in SAML configure...