CVE-2023-30805 – Sangfor Next-Gen Application Firewall NGAF8.0.1... (How to Fix)

Q: What is the severity of CVE-2023-30805?

CVE-2023-30805 has a CVSS score of 9.8 (CRITICAL). Sangfor Next-Gen Application Firewall NGAF8.0.17 has an unauthenticated remote command injection vulnerability in the /LogInOut.php endpoint. Attackers can execute arbitrary operating system commands by sending crafted HTTP POST requests with shell meta-characters in the 'un' parameter. This affects all deployments running the vulnerable version.

📋 TL;DR

Sangfor Next-Gen Application Firewall NGAF8.0.17 has an unauthenticated remote command injection vulnerability in the /LogInOut.php endpoint. Attackers can execute arbitrary operating system commands by sending crafted HTTP POST requests with shell meta-characters in the 'un' parameter. This affects all deployments running the vulnerable version.

💻 Affected Systems

Products:

Sangfor Next-Gen Application Firewall (NGAF)

Versions: NGAF8.0.17

Operating Systems: Sangfor's custom Linux-based OS

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments with the vulnerable version are affected regardless of configuration. The /LogInOut.php endpoint is typically accessible by default.

📦 What is this software?

Next Gen Application Firewall by Sangfor

View all CVEs affecting Next Gen Application Firewall →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to install persistent backdoors, exfiltrate sensitive data, pivot to internal networks, and use the firewall as a launch point for further attacks.

🟠

Likely Case

Attackers gain shell access to the firewall appliance, potentially disabling security controls, intercepting traffic, or using the device for cryptocurrency mining or DDoS attacks.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the firewall appliance itself, though it could still be used to attack other systems if lateral movement is possible.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable without authentication, making internet-facing deployments extremely vulnerable to automated attacks.

🏢 Internal Only: MEDIUM - Internal deployments are still vulnerable to insider threats or attackers who have gained initial access to the network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple security researchers have published proof-of-concept exploits. The vulnerability requires minimal technical skill to exploit with readily available tools.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: NGAF8.0.18 or later

Vendor Advisory: https://www.sangfor.com/security-advisory

Restart Required: Yes

Instructions:

1. Log into Sangfor NGAF management interface. 2. Navigate to System > Upgrade. 3. Download and install NGAF8.0.18 or later firmware. 4. Reboot the appliance after installation completes. 5. Verify the version has been updated.

🔧 Temporary Workarounds

Web Application Firewall Rule

all

Block or sanitize requests containing shell meta-characters in the 'un' parameter

Add WAF rule: Block POST requests to /LogInOut.php containing characters: ; & | ` $ ( ) { } [ ] < > ' "

Network Access Control

linux

Restrict access to the /LogInOut.php endpoint using firewall rules

iptables -A INPUT -p tcp --dport 443 -m string --string "/LogInOut.php" --algo bm -j DROP

🧯 If You Can't Patch

Immediately isolate the NGAF appliance from the internet and restrict internal access to only necessary administrative IPs
Implement network monitoring and IDS/IPS rules to detect and block exploitation attempts targeting this vulnerability

🔍 How to Verify

Check if Vulnerable:

Check the firmware version in the NGAF web interface under System > System Info. If version is NGAF8.0.17, the system is vulnerable.

Check Version:

curl -k https://<ngaf-ip>/cgi-bin/login.cgi | grep version

Verify Fix Applied:

After patching, verify the version shows NGAF8.0.18 or later. Test by attempting to access /LogInOut.php with shell characters in the 'un' parameter - it should be blocked or sanitized.

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /LogInOut.php containing shell meta-characters in parameters
Unusual command execution patterns in system logs
Failed login attempts with suspicious characters

Network Indicators:

HTTP traffic to /LogInOut.php with unusual parameter values
Outbound connections from the NGAF appliance to unexpected destinations
Sudden spikes in traffic to the login endpoint

SIEM Query:

source="ngaf_logs" AND url="/LogInOut.php" AND (param="un" AND value MATCHES "[;&|`$(){}\[\]<>'\"]")

📊 Metadata

CVE ID: CVE-2023-30805

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: October 10, 2023

Last Updated: November 28, 2025

🔗 References

https://aws.amazon.com/marketplace/pp/prodview-uujwjffddxzp4 Product
https://labs.watchtowr.com/yet-more-unauth-remote-command-execution-vulns-in-firewalls-sangfor-edition/ Exploit,Third Party Advisory
https://vulncheck.com/advisories/sangfor-ngaf-username-rce Third Party Advisory
https://aws.amazon.com/marketplace/pp/prodview-uujwjffddxzp4 Product
https://labs.watchtowr.com/yet-more-unauth-remote-command-execution-vulns-in-firewalls-sangfor-edition/ Exploit,Third Party Advisory
https://vulncheck.com/advisories/sangfor-ngaf-username-rce Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-30805, you might also want to check these: