CVE-2020-25223
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary commands on Sophos SG UTM devices through the WebAdmin interface. It affects organizations using Sophos SG UTM appliances with vulnerable firmware versions. Attackers can gain full control of affected devices without authentication.
💻 Affected Systems
- Sophos SG UTM
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the UTM device, allowing attackers to pivot to internal networks, steal credentials, deploy ransomware, or establish persistent backdoors.
Likely Case
Remote code execution leading to device takeover, network reconnaissance, and lateral movement within the organization's network.
If Mitigated
Limited impact if WebAdmin interface is not exposed to untrusted networks and proper network segmentation is in place.
🎯 Exploit Status
Public exploit code available on Packet Storm Security. Exploitation requires no authentication and is straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v9.705 MR5, v9.607 MR7, or v9.511 MR11
Vendor Advisory: https://community.sophos.com/b/security-blog/posts/advisory-resolved-rce-in-sg-utm-webadmin-cve-2020-25223
Restart Required: Yes
Instructions:
1. Log into Sophos UTM WebAdmin. 2. Navigate to System > Maintenance > Software Updates. 3. Check for available updates. 4. Apply the appropriate MR update for your version. 5. Reboot the appliance after update completes.
🔧 Temporary Workarounds
Restrict WebAdmin Access
allLimit WebAdmin interface access to trusted IP addresses only using firewall rules.
Configure via WebAdmin: Network Protection > Firewall > Add rule to restrict WebAdmin port (default 4444) to trusted IPs
Disable WebAdmin if Not Needed
allTemporarily disable WebAdmin interface if remote management is not required.
Configure via WebAdmin: Management > Administration > WebAdmin > Uncheck 'Enable WebAdmin'
🧯 If You Can't Patch
- Immediately restrict WebAdmin access to specific management IP addresses only
- Monitor for suspicious activity on WebAdmin port (default 4444) and review authentication logs
🔍 How to Verify
Check if Vulnerable:
Check current firmware version in WebAdmin: System > Status > System Information. Compare against patched versions.Check Version:
ssh admin@utm-ip 'cat /etc/version' or check WebAdmin System Status pageVerify Fix Applied:
Verify firmware version shows v9.705 MR5, v9.607 MR7, or v9.511 MR11 or later in System Information.📡 Detection & Monitoring
Log Indicators:
- Unusual command execution in system logs
- Multiple failed login attempts followed by successful WebAdmin access
- Suspicious processes spawned from WebAdmin service
Network Indicators:
- Unusual outbound connections from UTM device
- Traffic to WebAdmin port (4444) from unexpected sources
- Command injection patterns in HTTP requests to WebAdmin
SIEM Query:
source="sophos-utm" AND (url="*WebAdmin*" AND (method="POST" OR method="GET") AND (content="*;*" OR content="*|*" OR content="*`*"))🔗 References
- http://packetstormsecurity.com/files/164697/Sophos-UTM-WebAdmin-SID-Command-Injection.html
- https://community.sophos.com/b/security-blog
- https://community.sophos.com/b/security-blog/posts/advisory-resolved-rce-in-sg-utm-webadmin-cve-2020-25223
- https://cwe.mitre.org/data/definitions/78.html
- https://www.secpod.com/blog/remote-code-execution-in-sophos-utm/
- http://packetstormsecurity.com/files/164697/Sophos-UTM-WebAdmin-SID-Command-Injection.html
- https://community.sophos.com/b/security-blog
- https://community.sophos.com/b/security-blog/posts/advisory-resolved-rce-in-sg-utm-webadmin-cve-2020-25223
- https://cwe.mitre.org/data/definitions/78.html
- https://www.secpod.com/blog/remote-code-execution-in-sophos-utm/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-25223
