CVE-2020-12271
published 2020-04-27CVE-2020-12271: A SQL injection issue was found in SFOS 17.0, 17.1, 17.5, and 18.0 before 2020-04-25 on Sophos XG Firewall devices, as exploited in the wild in April 2020…
PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
43.06%
98.6th percentile
A SQL injection issue was found in SFOS 17.0, 17.1, 17.5, and 18.0 before 2020-04-25 on Sophos XG Firewall devices, as exploited in the wild in April 2020. This affected devices configured with either the administration (HTTPS) service or the User Portal exposed on the WAN zone. A successful attack may have caused remote code execution that exfiltrated usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access (but not external Active Directory or LDAP passwords)
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sophos | sfos | — | — |
| sophos | sfos | — | — |
| sophos | sfos | — | — |
| sophos | sfos | — | — |
Detection & IOCsextracted from sources · hover to see the quote
filenameIC.sh
- →Target attack surface: Sophos XG Firewall devices with the administration (HTTPS) service or User Portal exposed on the WAN zone are the exploitable entry points for this pre-authentication SQL injection. ↗
- →Post-exploitation indicator: Monitor for unexpected exfiltration of local user account data (usernames and hashed passwords) from XG Firewall devices, specifically for local admin, portal admin, and remote-access user accounts. ↗
- →Dead-man switch behavior: After Sophos patched devices, threat actors activated a dead-man switch to trigger ransomware deployment on Windows machines behind the firewall — monitor for lateral ransomware activity following firewall compromise. ↗
- →Web shell deployment without external C2: The actor deployed a web shell that did not reach out to external C2 for commands, making outbound C2 traffic an unreliable detection signal; focus on inbound web shell interactions instead.
- →Hotfix alert as exploitation indicator: Affected XG Firewalls that received the hotfix display an alert in the management interface indicating whether the vulnerability was exploited — use this as a host-based exploitation confirmation signal. ↗
- ·Vulnerability is only exploitable when the administration (HTTPS) service or User Portal is exposed on the WAN zone; devices not exposing these services to the WAN are not directly vulnerable via this attack vector. ↗
- ·SSL VPN port sharing increases exposure: systems where the port used for the administration interface or user portal was also used to expose a firewall service such as SSL VPN were also affected. ↗
- ·External Active Directory and LDAP passwords were NOT exfiltrated; credential reset scope should focus on local device accounts only. ↗
- ·Affected SFOS versions are 17.0, 17.1, 17.5, and 18.0 before 2020-04-25; both physical and virtual XG Firewall units are affected. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.010.0CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hv48-76w3-p5fp: A SQL injection issue was found in SFOS 17
ghsa_unreviewed·2022-05-24
CVE-2020-12271 [HIGH] CWE-89 GHSA-hv48-76w3-p5fp: A SQL injection issue was found in SFOS 17
A SQL injection issue was found in SFOS 17.0, 17.1, 17.5, and 18.0 before 2020-04-25 on Sophos XG Firewall devices, as exploited in the wild in April 2020. This affected devices configured with either the administration (HTTPS) service or the User Portal exposed on the WAN zone. A successful attack may have caused remote code execution that exfiltrated usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access (but not external Active Directory or LDAP passwords)
VulnCheck
Sophos SFOS SQL Injection Vulnerability
vulncheck·2020·CVSS 9.8
CVE-2020-12271 [CRITICAL] CWE-89 Sophos SFOS SQL Injection Vulnerability
Sophos SFOS SQL Injection Vulnerability
Sophos Firewall operating system (SFOS) firmware contains a SQL injection vulnerability when configured with either the administration (HTTPS) service or the User Portal is exposed on the WAN zone. Successful exploitation may cause remote code execution to exfiltrate usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access (but not external Active Directory or LDAP passwords).
Affected: Sophos SFOS
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.cve.org/CVERecord?id=CVE-2020-12271; https://news.sophos.com/en-us/2020/
CISA
Sophos SFOS SQL Injection Vulnerability
cisa·2021-11-03·CVSS 9.8
CVE-2020-12271 [CRITICAL] CWE-89 Sophos SFOS SQL Injection Vulnerability
Vulnerability: Sophos SFOS SQL Injection Vulnerability
Affected: Sophos SFOS
Sophos Firewall operating system (SFOS) firmware contains a SQL injection vulnerability when configured with either the administration (HTTPS) service or the User Portal is exposed on the WAN zone. Successful exploitation may cause remote code execution to exfiltrate usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access (but not external Active Directory or LDAP passwords).
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-12271
Remediation Due Date: 2022-05-03
No detection rules found.
No public exploits indexed.
Bleepingcomputer
US sanctions Chinese firm for hacking firewalls in ransomware attacks
blogs_bleepingcomputer·2024-12-10
US sanctions Chinese firm for hacking firewalls in ransomware attacks
## US sanctions Chinese firm for hacking firewalls in ransomware attacks
## Sergiu Gatlan
The U.S. Treasury Department has sanctioned Chinese cybersecurity company Sichuan Silence and one of its employees for their involvement in a series of Ragnarok ransomware attacks targeting U.S. critical infrastructure companies and many other victims worldwide in April 2020.
According to the Department's Office of Foreign Assets Control (OFAC), Sichuan Silence is a Chengdu-based cybersecurity government contractor (recently profiled by the Natto Thoughts team ) that provides products and services to core clients like China's intelligence services.
The company's services include computer network exploitation, brute-force password cracking, email monitoring, and public sentiment suppression.
OFAC
Tenable
CVE-2020-12271: Zero-Day SQL Injection Vulnerability in Sophos XG Firewall Exploited in the Wild
blogs_tenable·2020-04-27·CVSS 9.8
[CRITICAL] CVE-2020-12271: Zero-Day SQL Injection Vulnerability in Sophos XG Firewall Exploited in the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Threat Intel
Asnarök
threat_intel·CVSS 9.8
CVE-2020-12271 [CRITICAL] Asnarök
# Threat Actor: Asnarök
## Description
Asnarök is a threat actor that exploited CVE-2020-12271 and utilized command injection privilege escalation to gain root access to devices and install the Asnarök Trojan and demonstrated significant changes in TTPs, including the deployment of a web shell that did not reach out to external C2 for commands. X-Ops identified a patient-zero device linked to the attack and observed the use of an IC.sh script that stole local user account data. The actor's activities were linked to a broader pattern of malicious exploit research and targeted vulnerabilities disclosed by bug bounty researchers.
https://community.sophos.com/kb/en-us/135412https://cwe.mitre.org/data/definitions/89.htmlhttps://news.sophos.com/en-us/2020/04/26/asnarok/https://community.sophos.com/kb/en-us/135412https://cwe.mitre.org/data/definitions/89.htmlhttps://news.sophos.com/en-us/2020/04/26/asnarok/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-12271
2020-04-27
Published
2021-11-03
Added to CISA KEV
Exploited in the wild