Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Details Disclosed for Critical Vulnerability in Sophos Appliances

Organizations using security appliances from Sophos have been advised to make sure their devices are up to date after a researcher disclosed the details of a critical vulnerability patched last year.

Organizations using security appliances from Sophos have been advised to make sure their devices are up to date after a researcher disclosed the details of a critical vulnerability patched last year.

Sophos informed customers in September 2020 that it had patched a remote code execution flaw affecting the web administration console (WebAdmin) of SG UTM devices. The issue, tracked as CVE-2020-25223, was reported to the cybersecurity firm by an external researcher, and it was fixed with the release of SG UTM v9.705 MR5, v9.607 MR7, and v9.511 MR11.

Sophos SG UTM vulnerability disclosedHowever, it appears that not all Sophos customers have patched their devices. During a recent client engagement, Justin Kennedy, research consulting director at information security consultancy Atredis Partners, noticed that the customer’s UTM devices had been running a vulnerable version of the software.

Kennedy compared the differences between the patched and unpatched versions of the software, which enabled him to identify the root cause of the vulnerability.

Last week, the researcher published a blog post detailing how CVE-2020-25223 can be exploited by a remote, unauthenticated attacker for arbitrary code execution with root privileges on a Sophos appliance.

Sophos said in an emailed statement that it’s not aware of any malicious attacks leveraging this vulnerability. However, Kennedy told SecurityWeek that “it would be incredibly easy for an attacker to exploit the vulnerability in a real world environment.”

In order to exploit CVE-2020-25223, all an attacker needs to do is send a single HTTP request. If the WebAdmin interface is exposed to the internet, it may be possible for an attacker to exploit the vulnerability directly from the web.

Kennedy said the Shodan search engine identified over 3,100 systems that appear to expose the WebAdmin interface, but it’s unclear how many of them are actually vulnerable.

Advertisement. Scroll to continue reading.

He also noticed more than 95,000 instances that have the title “User Portal” instead of “WebAdmin,” but he has not checked if it’s possible to exploit the vulnerability or reach the exploitable path via the User Portal.

Asked if he is concerned about the information in his blog post being abused by malicious actors, the researcher noted that “if malicious actors wanted to exploit unpatched systems affected by the vulnerability, they’ve had more than enough time to discover the vulnerability details and exploit those systems.”

He has advised organizations to check if they are still affected by this vulnerability, and if they are, to patch their systems and then review their patching policies to identify the gaps that allowed a critical vulnerability to remain unpatched for nearly a year.

Commenting on Kennedy’s blog post, Sophos said, “The additional detail in the blog raises awareness about how important it is for organizations to constantly update and patch their software. The emphasis we want underscore is that updating, and patching is a critical security best practice that organizations of all sizes need to build into their ongoing maintenance routines.”

It’s important that organizations don’t ignore these recommendations as threat actors exploiting vulnerabilities in Sophos products is not unheard of.

Related: Sophos Patches Privilege Escalation Flaws in SafeGuard Products

Related: Hackers Attempted to Deploy Ransomware in Attacks Targeting Sophos Firewalls

Related: Critical Flaw in Sophos Cyberoam Appliances Allows Remote Code Execution

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.