Cyber Resilience

CVE-2020-12271

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 27 April 2020

Published
27 April 2020
Modified
07 November 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8665 99.4th percentile
Risk Priority 92 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-12271 is a critical-severity SQL Injection (CWE-89) vulnerability in Sophos Sfos. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

A SQL injection vulnerability tracked as CVE-2020-12271 affects Sophos XG Firewall devices running SFOS versions 17.0, 17.1, 17.5, and 18.0 prior to the update issued on 2020-04-25. The flaw, classified under CWE-89, resides in the handling of input to the administration HTTPS service or the User Portal when either is exposed to the WAN zone. It carries a CVSS 3.1 base score of 9.8, reflecting network-accessible exploitation without authentication or user interaction.

Unauthenticated remote attackers can submit crafted requests to the exposed services and trigger arbitrary SQL commands. Successful exploitation yields remote code execution that allows extraction of usernames and password hashes belonging to local device administrators, User Portal administrators, and remote-access users; passwords stored in external Active Directory or LDAP directories are not exposed.

Sophos advisory KB135412 and the accompanying security bulletin direct customers to apply the fixed SFOS build released on or after 2020-04-25 and to restrict exposure of the administration and User Portal services to trusted networks only. The issue was observed being exploited in the wild during April 2020 as part of the Asnarok campaign.

EU & UK References

Vulnerability details

A SQL injection issue was found in SFOS 17.0, 17.1, 17.5, and 18.0 before 2020-04-25 on Sophos XG Firewall devices, as exploited in the wild in April 2020. This affected devices configured with either the administration (HTTPS) service or the…

more

User Portal exposed on the WAN zone. A successful attack may have caused remote code execution that exfiltrated usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access (but not external Active Directory or LDAP passwords)

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sophos
sfos
17.0, 17.1, 17.5, 18.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces validation of all input to the HTTPS admin and User Portal services, directly blocking the crafted SQL statements that trigger CVE-2020-12271.

prevent

Requires boundary-protection mechanisms to deny exposure of the administration and User Portal services to the WAN zone, eliminating the network attack surface used in this CVE.

prevent

Mandates prompt application of the vendor-supplied SFOS build (post-2020-04-25) that removes the SQL-injection flaw from the affected code paths.

References