CVE-2023-0669 Explained: GoAnywhere MFT Pre-Authentication RCE and the Cl0p Zero-Day Campaign
A zero-day pre-authentication remote code execution vulnerability in Fortra GoAnywhere MFT that the Cl0p ransomware group exploited against over 130 organisations before the vendor issued an advisory. How a managed file transfer product became one of the most impactful enterprise vulnerabilities of 2023.

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
CVE-2023-0669 is a pre-authentication remote code execution vulnerability in Fortra GoAnywhere MFT, a managed file transfer platform used by thousands of enterprises, government agencies, and healthcare organisations to securely transfer sensitive files. The Cl0p ransomware group exploited it as a zero-day beginning approximately January 18, 2023, operating for ten days before Fortra issued any advisory. Cl0p claimed over 130 victim organisations, making CVE-2023-0669 one of the highest-volume single-vulnerability ransomware campaigns of 2023.
The vulnerability exists in the GoAnywhere administrative console's license validation endpoint, a Java deserialization attack that allows unauthenticated code execution. The CVSS score of 7.2 reflects that the admin console is not meant to be internet-accessible, but widespread exposure of the admin interface meant many organisations were directly reachable from the public internet.
How CVE-2023-0669 Works: Java Deserialization in the License Endpoint
GoAnywhere MFT is a Java web application. Its administrative console, typically hosted on ports 8000 or 8001, handles system configuration, user management, and license validation. The license validation endpoint accepts serialized Java object input, which it deserializes to process license data.
Java deserialization vulnerabilities arise when an application deserializes untrusted data without first validating the object type being deserialized. An attacker constructs a specially crafted serialized Java object (a 'gadget chain') that, when deserialized, executes arbitrary code as a side effect of the object's construction or method invocations.
In CVE-2023-0669, the attacker sends a crafted serialized object to the GoAnywhere license endpoint. The Java deserialization process triggers a gadget chain (typically using widely available gadget libraries like Apache Commons Collections) that executes OS commands. Because the administrative console process runs with elevated permissions, necessary for file transfer operations, the resulting code execution is highly privileged.
Identify internet-exposed GoAnywhere admin consoles
Scan for GoAnywhere MFT admin consoles on ports 8000 and 8001. The console login page is identifiable by its banner and SSL certificate. Cl0p used automated scanning to identify vulnerable instances across the internet.
Send crafted serialized Java object to license endpoint
POST a malicious serialized Java object payload to the GoAnywhere license validation endpoint. No authentication credentials are required. The payload contains a deserialization gadget chain targeting Java libraries present in the GoAnywhere classpath.
Gadget chain executes OS commands
The GoAnywhere server deserializes the object. The gadget chain triggers, executing OS commands as the GoAnywhere service process user, typically with privileges sufficient to read all file transfer data and system configuration.
Deploy DEWMODE web shell
Cl0p deployed DEWMODE, a PHP-based web shell, to maintain persistent access to compromised GoAnywhere instances. DEWMODE provides command execution and file access via HTTP, surviving GoAnywhere service restarts.
Exfiltrate managed file transfer data
Access file transfer logs, stored credentials, and all files transferred through the GoAnywhere system. GoAnywhere MFT handles sensitive data, financial records, HR data, healthcare records, legal documents, making exfiltration highly valuable for extortion.
Cl0p's MFT Campaign Strategy
CVE-2023-0669 was not an isolated opportunistic attack, it was part of a deliberate Cl0p strategy to target managed file transfer platforms as a high-value attack class. MFT systems are repositories of sensitive data transacted between organisations: payroll files, healthcare records, financial statements, legal documents, and regulated data of every category.
Cl0p exploited CVE-2023-0669 in GoAnywhere in early 2023 and CVE-2023-34362 in MOVEit Transfer in May 2023, two separate MFT zero-days in the same year. The pattern is the same: exploit a pre-authentication vulnerability in the MFT platform, exfiltrate everything in the file transfer store, and extort victims with the threat of public release rather than encrypting files.
This 'data theft extortion' model, steal and threaten, don't encrypt, is operationally advantageous because it eliminates the operational complexity of ransomware deployment while maintaining the extortion leverage. It also means victims must evaluate breach notification obligations even if no encryption occurred, creating regulatory pressure that incentivises payment.
Confirmed CVE-2023-0669 victims illustrate the breadth of sensitive data at risk: Hitachi (industrial data), Procter & Gamble (corporate financial data), Rubrik (cybersecurity vendor internal data), Community Health Systems (healthcare records), Hatch Bank (financial records), and the City of Toronto (government records).
“Cl0p claims to have stolen data from more than 130 organisations via GoAnywhere MFT, asserting it operated exclusively within the enterprise networks for 10 days before the vendor issued any notification.”
Bleeping Computer, March 2023
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Patching and Fully Remediating CVE-2023-0669
Patching GoAnywhere closes the deserialization attack path. Post-patch remediation for organisations with internet-exposed admin consoles during the exploitation window must include compromise investigation.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
CVE-2023-0669 and the Cl0p GoAnywhere campaign represent a maturation of ransomware tactics: instead of deploying encryptors and extorting for decryption keys, Cl0p exfiltrated data from a platform specifically designed to transfer sensitive files between organisations and extorted victims with the threat of public release. The economics are better, no decryption infrastructure to maintain, no encryption failure risk, and the leverage is equivalent.
The GoAnywhere attack is also a reminder that the CVSS score is not the risk score. A 7.2 CVSS because the admin console 'shouldn't' be internet-accessible is cold comfort when 130 confirmed organisations had their file transfer data exfiltrated. Real-world deployment frequently diverges from vendor security guidance, and threat actors know this.
If your organisation uses GoAnywhere MFT and had the admin console internet-accessible prior to February 7, 2023, treat it as a confirmed breach for the purposes of incident response and regulatory notification planning. The 10-day window was enough time for Cl0p to exfiltrate everything they wanted.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
What is CVE-2023-0669?
CVE-2023-0669 is a pre-authentication remote code execution vulnerability in Fortra GoAnywhere MFT. The vulnerability is in the GoAnywhere administrative console, a Java web application, and allows an unauthenticated attacker to execute arbitrary code by exploiting a Java deserialization flaw in the license check endpoint. The administrative console is typically exposed on ports 8000 or 8001.
Why is the CVSS score 7.2 if it is pre-authentication RCE?
The CVSS 7.2 score reflects that the administrative console requires network access from a non-internet-facing segment in a default secure deployment, reducing the Network scope from fully external to adjacent. Many organisations had the admin console internet-accessible contrary to Fortra's recommendations, which is why exploitation was so widespread. The CVSS score significantly understates the real-world risk for organisations with internet-exposed admin interfaces.
How many organisations were affected by CVE-2023-0669?
Cl0p claimed over 130 organisations were compromised via CVE-2023-0669 in their 10-day zero-day window. Confirmed victims include Community Health Systems, Hatch Bank, Hitachi, Procter & Gamble, Rubrik, the City of Toronto, the Government of Nova Scotia, Crown Resorts, and multiple others. The actual count may be higher as some victims did not publicly disclose.
Was CVE-2023-0669 a zero-day?
Yes. Cl0p began exploiting CVE-2023-0669 around January 18, 2023. Fortra issued a limited security advisory on February 1, 2023, 14 days into exploitation, and released the patch (GoAnywhere MFT 7.1.2) on February 7, 2023. The patch was not publicly announced until then, giving Cl0p a multi-week window of exclusive exploitation.
How do I fix CVE-2023-0669?
Upgrade GoAnywhere MFT to version 7.1.2 or later. If upgrade is not immediately possible, restrict or disable access to the administrative console from untrusted networks. After patching, investigate for Cl0p implants: look for the DEWMODE web shell variant documented in GoAnywhere compromises, new scheduled tasks, unexpected outbound connections, and exfiltrated file transfer logs indicating what data was accessed.
Is CVE-2023-0669 the same as the MOVEit vulnerability?
No. CVE-2023-0669 (GoAnywhere MFT) and CVE-2023-34362 (MOVEit Transfer) are separate vulnerabilities in competing managed file transfer products. Both were exploited by Cl0p as zero-days in 2023 in separate campaigns. Cl0p targeted MFT platforms systematically in 2023 due to the high value of the data they process. If your organisation uses both products, both require separate investigation.
Sources & references
- NVD
- Fortra GoAnywhere Security Advisory
- CISA Known Exploited Vulnerabilities Catalog
- Bleeping Computer, Cl0p ransomware claims 130 victims GoAnywhere
- Huntress, GoAnywhere MFT CVE-2023-0669 Exploitation Analysis
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
