cbcvebase.
CVE-2020-12271
published 2020-04-27

CVE-2020-12271: A SQL injection issue was found in SFOS 17.0, 17.1, 17.5, and 18.0 before 2020-04-25 on Sophos XG Firewall devices, as exploited in the wild in April 2020…

PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
43.06%
98.6th percentile
A SQL injection issue was found in SFOS 17.0, 17.1, 17.5, and 18.0 before 2020-04-25 on Sophos XG Firewall devices, as exploited in the wild in April 2020. This affected devices configured with either the administration (HTTPS) service or the User Portal exposed on the WAN zone. A successful attack may have caused remote code execution that exfiltrated usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access (but not external Active Directory or LDAP passwords)

Affected

4 ranges
VendorProductVersion rangeFixed in
sophossfos
sophossfos
sophossfos
sophossfos

Detection & IOCsextracted from sources · hover to see the quote

otherAsnarök Trojan (ELF binaries and scripts)
filenameIC.sh
  • Target attack surface: Sophos XG Firewall devices with the administration (HTTPS) service or User Portal exposed on the WAN zone are the exploitable entry points for this pre-authentication SQL injection.
  • Post-exploitation indicator: Monitor for unexpected exfiltration of local user account data (usernames and hashed passwords) from XG Firewall devices, specifically for local admin, portal admin, and remote-access user accounts.
  • Dead-man switch behavior: After Sophos patched devices, threat actors activated a dead-man switch to trigger ransomware deployment on Windows machines behind the firewall — monitor for lateral ransomware activity following firewall compromise.
  • Web shell deployment without external C2: The actor deployed a web shell that did not reach out to external C2 for commands, making outbound C2 traffic an unreliable detection signal; focus on inbound web shell interactions instead.
  • Hotfix alert as exploitation indicator: Affected XG Firewalls that received the hotfix display an alert in the management interface indicating whether the vulnerability was exploited — use this as a host-based exploitation confirmation signal.
  • ·Vulnerability is only exploitable when the administration (HTTPS) service or User Portal is exposed on the WAN zone; devices not exposing these services to the WAN are not directly vulnerable via this attack vector.
  • ·SSL VPN port sharing increases exposure: systems where the port used for the administration interface or user portal was also used to expose a firewall service such as SSL VPN were also affected.
  • ·External Active Directory and LDAP passwords were NOT exfiltrated; credential reset scope should focus on local device accounts only.
  • ·Affected SFOS versions are 17.0, 17.1, 17.5, and 18.0 before 2020-04-25; both physical and virtual XG Firewall units are affected.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.010.0CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.