CVE-2020-15069
Published: 29 June 2020
Summary
CVE-2020-15069 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Sophos Xg Firewall Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
Sophos XG Firewall versions 17.x through v17.5 MR12 contain a buffer overflow vulnerability tracked as CVE-2020-15069 and CWE-120. The flaw resides in the HTTP/S Bookmarks feature used for clientless access and carries a CVSS 3.1 score of 9.8 reflecting network-accessible, unauthenticated remote code execution with full impact on confidentiality, integrity, and availability.
An unauthenticated attacker can send specially crafted requests to the affected feature over the network, triggering the overflow to execute arbitrary code on the firewall without requiring user interaction or credentials.
Vendor advisories direct administrators to apply the published hotfix HF062020.1 on all v17.x installations, and the issue is documented in Sophos security bulletins.
The vulnerability appears in CISA's catalog of known exploited vulnerabilities, confirming observed in-the-wild attacks against exposed appliances.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-7197
Vulnerability details
Sophos XG Firewall 17.x through v17.5 MR12 allows a Buffer Overflow and remote code execution via the HTTP/S Bookmarks feature for clientless access. Hotfix HF062020.1 was published for all firewalls running v17.x.
- CWE(s)
- KEV Date Added
- 06 February 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all inputs to the HTTP/S Bookmarks feature, preventing the crafted requests that trigger the CWE-120 buffer overflow.
Enforces memory protections that block exploitation of the buffer overflow leading to unauthenticated remote code execution.
Mandates prompt application of the vendor hotfix HF062020.1 that removes the vulnerable code from all exposed v17.x firewalls.