Cyber Resilience

CVE-2023-1671

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 04 April 2023

Published
04 April 2023
Modified
27 October 2025
KEV Added
16 November 2023
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9430 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-1671 is a critical-severity Command Injection (CWE-77) vulnerability in Sophos Web Appliance. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2023-1671 is a pre-authentication command injection vulnerability in the warn-proceed handler of Sophos Web Appliance versions prior to 4.3.10.4. The flaw, tracked under CWE-77, permits unauthenticated remote attackers to execute arbitrary operating-system commands and carries a CVSS 3.1 base score of 9.8.

An attacker with network access can submit a crafted request to the affected handler and obtain code execution without credentials or user interaction, resulting in full compromise of the confidentiality, integrity, and availability of the appliance.

Sophos security advisory sophos-sa-20230404-swa-rce states that the issue is resolved in version 4.3.10.4 and urges customers to apply the update immediately. The vulnerability is also listed in CISA’s Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation. The associated EPSS score has remained consistently high, with a peak of 0.9691 and a current value of 0.9430.

EU & UK References

Vulnerability details

A pre-auth command injection vulnerability in the warn-proceed handler of Sophos Web Appliance older than version 4.3.10.4 allows execution of arbitrary code.

CWE(s)
KEV Date Added
16 November 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sophos
web appliance
≤ 4.3.10.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of all inputs to the warn-proceed handler, blocking the crafted command-injection strings that enable unauthenticated RCE.

prevent

Mandates prompt application of the vendor patch (4.3.10.4) that eliminates the command-injection flaw in the affected handler.

detect

Requires continuous monitoring of network traffic and appliance logs to identify anomalous requests targeting the warn-proceed endpoint indicative of exploitation attempts.

References