cbcvebase.
CVE-2022-3980
published 2022-11-16

CVE-2022-3980: An XML External Entity (XEE) vulnerability allows server-side request forgery (SSRF) and potential code execution in Sophos Mobile managed on-premises between…

PriorityP183critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.09%
94.1th percentile
An XML External Entity (XEE) vulnerability allows server-side request forgery (SSRF) and potential code execution in Sophos Mobile managed on-premises between versions 5.0.0 and 9.7.4.

Affected

3 ranges
VendorProductVersion rangeFixed in
sophosmobile>= 5.0.0 < 9.7.59.7.5
sophossophos_mobile_managed_on-premises>= 5.0.0 < unspecifiedunspecified
sophossophos_mobile_managed_on-premisesunspecified – 9.7.4

Detection & IOCsextracted from sources · hover to see the quote

url/servlets/OmaDsServlet
otherhttp.favicon.hash:-1274798165
othericon_hash=-1274798165
  • Exploit targets the OMA-DS servlet endpoint via HTTP POST with XML payload containing an XXE declaration. Monitor for POST requests to /servlets/OmaDsServlet with Content-Type application/xml containing DOCTYPE or ENTITY declarations.
  • Successful XXE exploitation may result in an HTTP 400 response with an empty body (len(body) == 0). Correlate 400 responses with zero-length bodies on this endpoint as a post-exploitation indicator.
  • Identify exposed Sophos Mobile on-premises instances via Shodan favicon hash -1274798165 or title 'sophos mobile', and FOFA icon_hash=-1274798165 or title='Sophos Mobile'.
  • Out-of-band (OOB) detection: monitor for unexpected outbound HTTP or DNS callbacks triggered from the Sophos Mobile server, which indicate successful XXE/SSRF exploitation.
  • ·Vulnerability affects Sophos Mobile managed on-premises versions 5.0.0 through 9.7.4 only; cloud-hosted deployments are not affected.
  • ·The exploit requires no authentication (PR:N, UI:N per CVSS), meaning the /servlets/OmaDsServlet endpoint is reachable without credentials and should be restricted at the network perimeter if patching is not immediately possible.
  • ·The nuclei template uses a 50-second timeout for the exploit request, suggesting the XXE/SSRF callback may be slow or delayed; detection rules should account for delayed OOB responses.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.