CVE-2023-0669

Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. This issue was patched in version 7.1.2.

Credits

Brian Krebs of Krebs on Security
Ron Bowes of Rapid7
Caitlin Condon of Rapid7
Fryco of Frycos Security

References