Connect with us

Hi, what are you looking for?


Malware & Threats

CISA Warns of Attacks Exploiting Sophos Web Appliance Vulnerability

CISA adds Sophos, Oracle and Microsoft product security holes to its Known Exploited Vulnerabilities (KEV) catalog.

Sophos CVE-2023-1671 exploited

The US cybersecurity agency CISA added Sophos, Oracle and Microsoft product flaws to its Known Exploited Vulnerabilities (KEV) catalog on Thursday.

The Sophos flaw that the agency says has been exploited in attacks is CVE-2023-1671, a critical Sophos Web Appliance vulnerability that can be exploited by an unauthenticated attacker for arbitrary code execution. 

Sophos announced patches in April, when it also informed customers that the impacted appliance would reach end of life on July 20, 2023.

There do not appear to be any public reports describing attacks exploiting CVE-2023-1671 and Sophos could not provide clarifications to SecurityWeek by the time this article was published. [statement added in an update at the end of the article]

It’s not uncommon for threat actors to exploit Sophos product vulnerabilities in their attacks. Some attacks have been linked to a Chinese APT and targeted government and other organizations in South Asia. 

CISA’s KEV list currently includes four other Sophos product vulnerabilities, found in 2020 and 2022. 

The second vulnerability added to CISA’s KEV list on Thursday is CVE-2020-2551, an Oracle WebLogic Server flaw that can be exploited by unauthenticated attackers to take control of affected servers. 

CVE-2020-2551 was one of the four vulnerabilities targeted for initial compromise by a Chinese threat actor, according to a blog post published in early June by threat intelligence company EclecticIQ. The attacks seen by the security firm were aimed at government and critical infrastructure organizations in Taiwan. 

Advertisement. Scroll to continue reading.

It’s worth noting that at the time of writing CVE-2020-2551 is erroneously referenced as CVE-2023-2551 in an alert published by CISA. The correct CVE identifier is used in the KEV catalog, but not in the alert.

CISA on Thursday also added CVE-2023-36584 to its KEV catalog. This vulnerability allows attackers to bypass the Mark of the Web (MotW) security feature in Windows. 

Details of the vulnerability were disclosed on November 13 by Palo Alto Networks, whose researchers discovered the flaw. The researchers identified CVE-2023-36584 during an analysis of attacks launched by a Russia-linked APT, which leveraged a different MotW bypass flaw tracked as CVE-2023-36884, whose exploitation came to light in July

However, Palo Alto Networks’ blog post does not clearly state that CVE-2023-36584 has been exploited as well. In addition, Microsoft’s October 10 advisory says the vulnerability has not been exploited.  

It’s unclear if CISA has other evidence of exploitation for CVE-2023-36884 or if it may have misinterpreted Palo Alto Networks’ blog post. The agency says it only adds vulnerabilities to its KEV catalog if it has reliable evidence of exploitation, but it has been known to remove CVEs from the list. 

UPDATE: Sophos has provided the following statement to SecurityWeek:

“More than six months ago, on April 4, 2023, we released an automatic patch to all Sophos Web Appliances, as noted in the Security Advisory on our Trust Center, and in July 2023, we’ve phased out Sophos Web Appliance as previously planned. We appreciate CISA’s notice for any of the small number of remaining Sophos Web Appliance users who turned off auto-patch and/or missed our ongoing updates, and recommend they upgrade to Sophos Firewall for optimal network security moving forward.”

Palo Alto Networks has confirmed to SecurityWeek that it hasn’t observed exploitation of the new MotW bypass vulnerability.

“The ‘new’ vulnerability (CVE-2023-36584) is Unit 42’s discovery from the exploit chain, which hasn’t been observed as exploited in the wild. We first analyzed CVE-2023-36884 and determined how to execute the vulnerability. We reported to Microsoft our research based on studying CVE-2023-36884 and we were awarded a bug bounty and CVE (CVE-2023-36584). Microsoft did not confirm that the techniques we shared with them were used by the threat actors, explained Mike Harbison, distinguished engineer in Palo Alto Networks’ Unit 42. 

Related: Samsung Phone Flaws Added to CISA ‘Must Patch’ List Likely Exploited by Spyware Vendor

Related: Government Shutdown Could Bench 80% of CISA Staff

Related: Faster Patching Pace Validates CISA’s KEV Catalog Initiative

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.