New Zero Day: CVE-2023-0669, Deserialization of Untrusted Data

A new Zero Day Vulnerability has been found in GoAnywhere MFT. GoAnywhere is a popular file transfer application.

The Vulnerability first came to light when infosec.exchange user @briankerbs@infosec.exchange, tooted on the InfoSec instance of the popular social media platform and twitter competitor, Mastodon. In his toot, he shared the advisory from the vendor Fortra, previously known as HelpSystems, on the GoAnywhere support portal.

The toot from @briankerbs@infosec.exchange is as follows,

Toot from @briankrebs@infosec.exchange

The National Vulnerability Database has also referenced the user frycos’ github page where he has mentioned that the vulnerability first came across in 2021 when he first reviewed GoAnywhere MFT. He had also mentioned the same in a relevant blog post.

The vulnerability has a Common Weakness Enumenration of CWE-502, Deserialization of Untrusted Data.

CVSS Score

(10.0) (Critical)

The CVSS 3.1 string for this vulnerability is as follows

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

This indicates a CVSS 3.1 base score of 10.0 and temporal score of 9.5 on account of Remediation Level of an Official Fix and the Report Confidence of Confirmed.

For more details on the calculation of the CVSS 3.1 score use the CVSS calculator by first.org

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top