.png)
GoAnywhere MFT Zero-Day 2023
Breach Summary
In January-February 2023, the Cl0p ransomware group exploited a zero-day vulnerability in Fortra's GoAnywhere Managed File Transfer software, compromising over 130 organizations in a campaign that directly preceded and presaged their MOVEit attack three months later. The GoAnywhere and MOVEit attacks together established Cl0p's strategy of mass exploitation of managed file transfer vulnerabilities as a core business model.
What Happened
Cl0p exploited CVE-2023-0669 in GoAnywhere MFT beginning in late January 2023 before Fortra disclosed the vulnerability. Confirmed victims included Hatch Bank, Community Health Systems (approximately 1 million patients affected), Rubrik, and Hitachi Energy. Fortra issued emergency guidance February 1 and a patch February 7. The attack pattern was identical to what Cl0p would repeat with MOVEit in May 2023.
Attack Vector Detail
CVE-2023-0669 was a pre-authentication remote code injection flaw in Fortra's GoAnywhere MFT web console. Cl0p exploited the vulnerability to install webshells providing persistent access and automated data exfiltration. Like MOVEit, exploitation required no credentials and could be executed against any internet-accessible instance. Organizations that patched promptly after public disclosure were already compromised because exploitation had been active for days before the advisory.
Breach Pattern Timeline
January 18, 2023
Fortra (formerly HelpSystems) publishes private security advisory to GoAnywhere MFT customers about a remote code execution vulnerability requiring administrative console exposure.
February 1, 2023
Cl0p ransomware group begins mass exploitation of CVE-2023-0669 against internet-exposed GoAnywhere MFT instances. Attack predates public disclosure.
February 6, 2023
Fortra publishes patches. Cl0p has already established access in dozens of victim environments.
February 10, 2023
Cl0p publicly takes credit for exploiting the GoAnywhere zero-day. Begins listing victims on its dark web leak site.
March-April 2023
Confirmed GoAnywhere/Cl0p victims include Community Health Systems (1 million patients), Procter & Gamble, Hatch Bank, Brightline (mental health), Hitachi Energy, Rio Tinto, and ~130 organizations total.
March 2023
Major U.S. healthcare victim Community Health Systems discloses 1 million patient records exposed via the GoAnywhere/Cl0p incident — same MFT-mass-exploitation pattern Cl0p will replicate three months later with MOVEit.
April-September 2023
Class actions filed against Fortra, GoAnywhere customers, and downstream affected organizations. Cl0p continues extorting victims.
2023-2024
GoAnywhere/Cl0p establishes the template Cl0p applies at much greater scale to MOVEit (May 2023) and Cleo Harmony/VLTrader/LexiCom (October-November 2024). Managed file transfer software becomes Cl0p's strategic attack surface.
Total impact: ~130 organizations affected including 1M+ patients via Community Health Systems, foundational precedent for Cl0p's managed file transfer mass exploitation model that culminates in MOVEit (May 2023) and Cleo MFT (Oct-Nov 2024).
Executive Lessons
GoAnywhere established that managed file transfer infrastructure — often treated as low-risk administrative tooling — represents a high-value attack vector because it has authorized access to sensitive data across many organizational systems by design. The Clop gang's systematic exploitation of the vulnerability across 130+ organizations before patches were widely applied demonstrated the economics of zero-day exploitation: find one vulnerability in widely-used software and the return on investment is extraordinary.
Related Reading
Private Equity Implications
For PE sponsors with portfolio companies in healthcare, financial services, or manufacturing, any use of GoAnywhere, MOVEit, Accellion, or similar MFT software should trigger an immediate assessment of patch currency and internet exposure. These tools are not low-risk productivity applications; they are high-value data repositories that ransomware operators have specifically targeted across consecutive years.