Cyber Resilience

CVE-2020-15069

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 29 June 2020

Published
29 June 2020
Modified
07 November 2025
KEV Added
06 February 2025
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8257 99.3th percentile
Risk Priority 89 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-15069 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Sophos Xg Firewall Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

Sophos XG Firewall versions 17.x through v17.5 MR12 contain a buffer overflow vulnerability tracked as CVE-2020-15069 and CWE-120. The flaw resides in the HTTP/S Bookmarks feature used for clientless access and carries a CVSS 3.1 score of 9.8 reflecting network-accessible, unauthenticated remote code execution with full impact on confidentiality, integrity, and availability.

An unauthenticated attacker can send specially crafted requests to the affected feature over the network, triggering the overflow to execute arbitrary code on the firewall without requiring user interaction or credentials.

Vendor advisories direct administrators to apply the published hotfix HF062020.1 on all v17.x installations, and the issue is documented in Sophos security bulletins.

The vulnerability appears in CISA's catalog of known exploited vulnerabilities, confirming observed in-the-wild attacks against exposed appliances.

EU & UK References

Vulnerability details

Sophos XG Firewall 17.x through v17.5 MR12 allows a Buffer Overflow and remote code execution via the HTTP/S Bookmarks feature for clientless access. Hotfix HF062020.1 was published for all firewalls running v17.x.

CWE(s)
KEV Date Added
06 February 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sophos
xg firewall firmware
17.5 · 17.0 — 17.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all inputs to the HTTP/S Bookmarks feature, preventing the crafted requests that trigger the CWE-120 buffer overflow.

prevent

Enforces memory protections that block exploitation of the buffer overflow leading to unauthenticated remote code execution.

prevent

Mandates prompt application of the vendor hotfix HF062020.1 that removes the vulnerable code from all exposed v17.x firewalls.

References