CVE-2020-15069
published 2020-06-29CVE-2020-15069: Sophos XG Firewall 17.x through v17.5 MR12 allows a Buffer Overflow and remote code execution via the HTTP/S Bookmarks feature for clientless access. Hotfix…
PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-02-27
Exploited in the wild
EPSS
10.67%
95.2th percentile
Sophos XG Firewall 17.x through v17.5 MR12 allows a Buffer Overflow and remote code execution via the HTTP/S Bookmarks feature for clientless access. Hotfix HF062020.1 was published for all firewalls running v17.x.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sophos | xg_firewall_firmware | — | — |
| sophos | xg_firewall_firmware | >= 17.0 < 17.5 | 17.5 |
Detection & IOCsextracted from sources · hover to see the quote
filenamelibsophos.so
- →Exploit targets the HTTP/S Bookmarks feature for clientless access on Sophos XG Firewall 17.x through v17.5 MR12; monitor for anomalous requests to the User Portal bookmark functionality. ↗
- →Threat actor TStark exhibited intermittent VPN usage, switching between IP addresses geolocated to Hong Kong and Chengdu; treat source IPs from these geolocations targeting XG Firewall User Portal as elevated-risk.
- →Post-exploitation activity associated with this CVE includes IFRAME injection leveraging a WebAssembly vulnerability; inspect web content served through the firewall for injected IFRAMEs.
- →Malware samples targeting Mac OS X and iOS platforms were linked to the TStark cluster exploiting CVE-2020-15069; extend endpoint monitoring to macOS and iOS devices on networks protected by affected Sophos XG Firewalls.
- ·Hotfix HF062020.1 was published for all firewalls running v17.x; verify patch application as unpatched devices remain exploitable via the HTTP/S Bookmarks clientless access feature. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Sophos XG Firewall Buffer Overflow Vulnerability
cisa·2025-02-06·CVSS 9.8
CVE-2020-15069 [CRITICAL] CWE-120 Sophos XG Firewall Buffer Overflow Vulnerability
Vulnerability: Sophos XG Firewall Buffer Overflow Vulnerability
Affected: Sophos XG Firewall
Sophos XG Firewall contains a buffer overflow vulnerability that allows for remote code execution via the "HTTP/S bookmark" feature.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://community.sophos.com/b/security-blog/posts/advisory-buffer-overflow-vulnerability-in-user-portal ; https://nvd.nist.gov/vuln/detail/CVE-2020-15069
Remediation Due Date: 2025-02-27
GHSA
GHSA-x7vj-wqq4-cq4v: Sophos XG Firewall 17
ghsa_unreviewed·2022-05-24
CVE-2020-15069 [HIGH] CWE-120 GHSA-x7vj-wqq4-cq4v: Sophos XG Firewall 17
Sophos XG Firewall 17.x through v17.5 MR12 allows a Buffer Overflow and remote code execution via the HTTP/S Bookmarks feature for clientless access. Hotfix HF062020.1 was published for all firewalls running v17.x.
VulnCheck
Sophos XG Firewall Buffer Overflow Vulnerability
vulncheck·2020·CVSS 9.8
CVE-2020-15069 [CRITICAL] CWE-120 Sophos XG Firewall Buffer Overflow Vulnerability
Sophos XG Firewall Buffer Overflow Vulnerability
Sophos XG Firewall contains a buffer overflow vulnerability that allows for remote code execution via the "HTTP/S bookmark" feature.
Affected: Sophos XG Firewall
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://news.sophos.com/en-us/2024/10/31/pacific-rim-neutralizing-china-based-threat/; https://news.sophos.com/en-us/2024/10/31/pacific-rim-timeline/; https://news.sophos.com/en-us/2024/10/31/pacific-rim-whats-it-to-you/; https://eclypsium.com/blog/salt-typhoon/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://cyble.com/resources/research-reports/global-cybersecurity-report/
Remediation
No detection rules found.
No public exploits indexed.
Threat Intel
Tstark
threat_intel·CVSS 9.8
CVE-2020-15069 [CRITICAL] Tstark
# Threat Actor: Tstark
## Description
TStark is a threat actor identified by X-Ops, associated with a cluster of devices that executed the bookmark buffer overflow exploit targeting CVE-2020-15069 (T1203). The actor exhibited odd telemetry behavior indicative of intermittent VPN usage, switching between IP addresses geolocated to Hong Kong and Chengdu. Analysis revealed malware samples for Mac OS X and iOS, as well as IFRAME injection code exploiting a WebAssembly vulnerability (T1189). Additionally, TStark was linked to the development of libsophos.so and the deployment of malicious payloads across their devices.
2020-06-29
Published
2025-02-06
Added to CISA KEV
Exploited in the wild