CVE-2023-1671
Published: 04 April 2023
Summary
CVE-2023-1671 is a critical-severity Command Injection (CWE-77) vulnerability in Sophos Web Appliance. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2023-1671 is a pre-authentication command injection vulnerability in the warn-proceed handler of Sophos Web Appliance versions prior to 4.3.10.4. The flaw, tracked under CWE-77, permits unauthenticated remote attackers to execute arbitrary operating-system commands and carries a CVSS 3.1 base score of 9.8.
An attacker with network access can submit a crafted request to the affected handler and obtain code execution without credentials or user interaction, resulting in full compromise of the confidentiality, integrity, and availability of the appliance.
Sophos security advisory sophos-sa-20230404-swa-rce states that the issue is resolved in version 4.3.10.4 and urges customers to apply the update immediately. The vulnerability is also listed in CISA’s Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation. The associated EPSS score has remained consistently high, with a peak of 0.9691 and a current value of 0.9430.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-23899
Vulnerability details
A pre-auth command injection vulnerability in the warn-proceed handler of Sophos Web Appliance older than version 4.3.10.4 allows execution of arbitrary code.
- CWE(s)
- KEV Date Added
- 16 November 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of all inputs to the warn-proceed handler, blocking the crafted command-injection strings that enable unauthenticated RCE.
Mandates prompt application of the vendor patch (4.3.10.4) that eliminates the command-injection flaw in the affected handler.
Requires continuous monitoring of network traffic and appliance logs to identify anomalous requests targeting the warn-proceed endpoint indicative of exploitation attempts.