CVE-2023-1671 – CVE-2023-1671 is a critical pre-authentication ... (How to Fix)

Q: What is the severity of CVE-2023-1671?

CVE-2023-1671 has a CVSS score of 9.8 (CRITICAL). CVE-2023-1671 is a critical pre-authentication command injection vulnerability in Sophos Web Appliance that allows unauthenticated attackers to execute arbitrary commands on affected systems. Organizations running Sophos Web Appliance versions older than 4.3.10.4 are affected. This vulnerability enables remote code execution with root privileges.

📋 TL;DR

CVE-2023-1671 is a critical pre-authentication command injection vulnerability in Sophos Web Appliance that allows unauthenticated attackers to execute arbitrary commands on affected systems. Organizations running Sophos Web Appliance versions older than 4.3.10.4 are affected. This vulnerability enables remote code execution with root privileges.

💻 Affected Systems

Products:

Sophos Web Appliance

Versions: All versions older than 4.3.10.4

Operating Systems: Sophos Web Appliance OS

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Web Appliance by Sophos

View all CVEs affecting Web Appliance →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to install persistent backdoors, steal sensitive data, pivot to internal networks, and use the appliance as a foothold for further attacks.

🟠

Likely Case

Remote code execution leading to malware deployment, data exfiltration, or use as part of a botnet for DDoS attacks or cryptocurrency mining.

🟢

If Mitigated

Limited impact if appliance is isolated behind firewalls with strict network segmentation and egress filtering, though risk remains due to pre-auth nature.

🌐 Internet-Facing: HIGH - The vulnerability is pre-authentication and can be exploited remotely without any user interaction.

🏢 Internal Only: HIGH - Even internally facing appliances are vulnerable to attacks from compromised internal hosts or malicious insiders.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code is available and actively used in attacks. CISA has added this to its Known Exploited Vulnerabilities catalog.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.3.10.4

Vendor Advisory: https://www.sophos.com/en-us/security-advisories/sophos-sa-20230404-swa-rce

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Download Sophos Web Appliance 4.3.10.4 or later from Sophos support portal. 3. Apply the update through the admin interface. 4. Restart the appliance as prompted. 5. Verify successful update.

🔧 Temporary Workarounds

Network Isolation

all

Restrict network access to Sophos Web Appliance management interface to trusted IP addresses only

Disable Warn-Proceed Handler

all

If possible, disable the vulnerable warn-proceed handler feature

🧯 If You Can't Patch

Immediately isolate the appliance from internet access and restrict to internal trusted networks only
Implement strict network segmentation and monitor all traffic to/from the appliance for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check the appliance version in the admin interface under System > Status > Software Version

Check Version:

ssh admin@appliance-ip 'cat /etc/version' or check via web admin interface

Verify Fix Applied:

Verify version is 4.3.10.4 or higher in the admin interface and check that all services are running normally after update

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in system logs
Multiple failed authentication attempts followed by successful access
Suspicious process creation from web service

Network Indicators:

Unusual outbound connections from appliance
Traffic to known malicious IPs
Unexpected SSH or reverse shell connections

SIEM Query:

source="sophos-web-appliance" AND (event_type="command_execution" OR process_name="sh" OR process_name="bash")

📊 Metadata

CVE ID: CVE-2023-1671

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: April 4, 2023

Last Updated: October 27, 2025

🔗 References

http://packetstormsecurity.com/files/172016/Sophos-Web-Appliance-4.3.10.4-Command-Injection.html Exploit,Third Party Advisory,VDB Entry
https://www.sophos.com/en-us/security-advisories/sophos-sa-20230404-swa-rce Vendor Advisory
http://packetstormsecurity.com/files/172016/Sophos-Web-Appliance-4.3.10.4-Command-Injection.html Exploit,Third Party Advisory,VDB Entry
https://www.sophos.com/en-us/security-advisories/sophos-sa-20230404-swa-rce Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-1671 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-1671, you might also want to check these: