cbcvebase.
CVE-2020-15069
published 2020-06-29

CVE-2020-15069: Sophos XG Firewall 17.x through v17.5 MR12 allows a Buffer Overflow and remote code execution via the HTTP/S Bookmarks feature for clientless access. Hotfix…

PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-02-27
Exploited in the wild
EPSS
10.67%
95.2th percentile
Sophos XG Firewall 17.x through v17.5 MR12 allows a Buffer Overflow and remote code execution via the HTTP/S Bookmarks feature for clientless access. Hotfix HF062020.1 was published for all firewalls running v17.x.

Affected

2 ranges
VendorProductVersion rangeFixed in
sophosxg_firewall_firmware
sophosxg_firewall_firmware>= 17.0 < 17.517.5

Detection & IOCsextracted from sources · hover to see the quote

filenamelibsophos.so
  • Exploit targets the HTTP/S Bookmarks feature for clientless access on Sophos XG Firewall 17.x through v17.5 MR12; monitor for anomalous requests to the User Portal bookmark functionality.
  • Threat actor TStark exhibited intermittent VPN usage, switching between IP addresses geolocated to Hong Kong and Chengdu; treat source IPs from these geolocations targeting XG Firewall User Portal as elevated-risk.
  • Post-exploitation activity associated with this CVE includes IFRAME injection leveraging a WebAssembly vulnerability; inspect web content served through the firewall for injected IFRAMEs.
  • Malware samples targeting Mac OS X and iOS platforms were linked to the TStark cluster exploiting CVE-2020-15069; extend endpoint monitoring to macOS and iOS devices on networks protected by affected Sophos XG Firewalls.
  • ·Hotfix HF062020.1 was published for all firewalls running v17.x; verify patch application as unpatched devices remain exploitable via the HTTP/S Bookmarks clientless access feature.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.