Supply chain
⛓ Supply Chain
Fortra GoAnywhere MFT Zero-Day Cl0p Exploitation — CVE-2023-0669, 130+ Organizations
Primary Source ↗Incident Details
Beginning 18 January 2023, Cl0p exploited a zero-day (CVE-2023-0669) in Fortra’s GoAnywhere MFT, claiming to
have breached approximately 130 organizations over 10 days before Fortra issued an emergency patch on 1
February 2023. Major victims: Community Health Systems (1M patients), Rubrik, Hitachi Energy, City of Toronto,
Hatch Bank, Saks Fifth Avenue, Procter & Gamble, and many others. Cl0p only stole data — no encryption
deployed. The GoAnywhere campaign established Cl0p’s template of exploiting enterprise MFT platforms that was
later applied at far greater scale with MOVEit (May 2023) and Cleo (December 2024). Healthcare organizations
were disproportionately affected.
Technical Details
- Initial Attack Vector
- Cl0p exploited CVE-2023-0669, a pre-authentication remote code injection vulnerability in Fortra GoAnywhere MFT's administrative interface; attackers installed a web shell ('Truebot') and exfiltrated data before the vulnerability was publicly known
- Vendor / Product
- Fortra GoAnywhere Managed File Transfer (MFT)
- Malware Family
- Cl0p; Truebot web shell
- Supply Chain Attack
- ✅ Confirmed third-party / vendor compromise
Timeline
- 2023-01-18 Breach occurred
- 2023-03-01 Publicly disclosed