CVE-2020-25223
Published: 25 September 2020
Summary
CVE-2020-25223 is a critical-severity OS Command Injection (CWE-78) vulnerability in Sophos Unified Threat Management. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Deeper analysis
A remote code execution vulnerability tracked as CVE-2020-25223 affects the WebAdmin interface of Sophos SG UTM versions prior to 9.705 MR5, 9.607 MR7, and 9.511 MR11. The flaw is classified under CWE-78 and carries a CVSS 3.1 base score of 9.8, reflecting network-accessible command injection without any required credentials or user interaction.
An unauthenticated attacker can send specially crafted requests to the WebAdmin component to inject and execute arbitrary operating-system commands. Successful exploitation grants the attacker full control over the affected appliance, including the ability to read, modify, or delete data and to disrupt availability.
Sophos has addressed the issue in the maintenance releases listed above, and the vendor advisory published via the Sophos community site recommends immediate upgrade for any installations still running the vulnerable builds. Public exploit code demonstrating SID-based command injection against the WebAdmin endpoint has been posted to Packet Storm, confirming that working proof-of-concept material is available.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-17913
Vulnerability details
A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM before v9.705 MR5, v9.607 MR7, and v9.511 MR11
- CWE(s)
- KEV Date Added
- 25 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of all input to the WebAdmin interface, blocking the OS command injection (CWE-78) that enables unauthenticated RCE.
Enforces boundary protection and network-access restrictions that can deny external reachability to the vulnerable WebAdmin endpoint before any crafted request succeeds.
Mandates timely application of vendor patches (v9.705 MR5 etc.) that eliminate the command-injection flaw in the WebAdmin component.