Sophos

Known Exploited Sophos Vulnerabilities

The following Sophos vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Of the known exploited vulnerabilities above, 6 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings.

By the Year

In 2026 there have been 0 vulnerabilities in Sophos. Last year, in 2025 Sophos had 2 security vulnerabilities published. Right now, Sophos is on track to have less security vulnerabilities in 2026 than it did last year.

Recent Sophos Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2025-6704	Jul 21, 2025	Sophos Firewall <21.0.2 SPX ARW pre-auth RCE An arbitrary file writing vulnerability in the Secure PDF eXchange (SPX) feature of Sophos Firewall versions older than 21.0 MR2 (21.0.2) can lead to pre-auth remote code execution, if a specific configuration of SPX is enabled in combination with the firewall running in High Availability (HA) mode.	Firewall Firmware
CVE-2024-13861	Apr 11, 2025	Taegis Endpoint Agent <1.3.10 Local Code Injection (root exploit) on Debian A code injection vulnerability in the Debian package component of Taegis Endpoint Agent (Linux) versions older than 1.3.10 allows local users arbitrary code execution as root. Redhat-based systems using RPM packages are not affected.	Taegis Endpoint Agent
CVE-2024-12729	Dec 19, 2024	Sophos Firewall User Portal Remote Code Execution Vulnerability A post-auth code injection vulnerability in the User Portal allows authenticated users to execute code remotely in Sophos Firewall older than version 21.0 MR1 (21.0.1).	Firewall
CVE-2024-12727	Dec 19, 2024	Sophos Firewall SQL Injection Vulnerability in Email Protection Feature A pre-auth SQL injection vulnerability in the email protection feature of Sophos Firewall versions older than 21.0 MR1 (21.0.1) allows access to the reporting database and can lead to remote code execution if a specific configuration of Secure PDF eXchange (SPX) is enabled in combination with the firewall running in High Availability (HA) mode.	Firewall
CVE-2021-36806	Nov 30, 2023	Sophos Email Appliance <4.5.3.4 XSS + Open Redirect Reflected A reflected XSS vulnerability allows an open redirect when the victim clicks a malicious link to an error page on Sophos Email Appliance older than version 4.5.3.4.	Email Appliance
CVE-2023-5552	Oct 18, 2023	Password Disclosure via SPX in Sophos Firewall <19.5.3 A password disclosure vulnerability in the Secure PDF eXchange (SPX) feature allows attackers with full email access to decrypt PDFs in Sophos Firewall version 19.5 MR3 (19.5.3) and older, if the password type is set to Specified by sender.	Firewall
CVE-2023-33335	Jul 05, 2023	XSS in Sophos iView (grpname) allows arbitrary script execution Cross Site Scripting (XSS) in Sophos Sophos iView (The EOL was December 31st 2020) in grpname parameter that allows arbitrary script to be executed.	Iview
CVE-2023-33336	Jun 30, 2023	Sophos Web Appliance v4.3.9.1 XSS via double quotes Reflected cross site scripting (XSS) vulnerability was discovered in Sophos Web Appliance v4.3.9.1 that allows for arbitrary code to be inputted via the double quotes.	Web Appliance
CVE-2022-4934	Apr 04, 2023	Privileged CMD Injection in Sophos Web Appliance <4.3.10.4 ExceptionWizard A post-auth command injection vulnerability in the exception wizard of Sophos Web Appliance older than version 4.3.10.4 allows administrators to execute arbitrary code.	Web Appliance
CVE-2020-36692	Apr 04, 2023	Sophos Web Appliance <4.3.10.4 Reflected XSS in Report Scheduler A reflected XSS via POST vulnerability in report scheduler of Sophos Web Appliance versions older than 4.3.10.4 allows execution of JavaScript code in the victim browser via a malicious form that must be manually submitted by the victim while logged in to SWA.	Web Appliance
CVE-2023-1671	Apr 04, 2023	Pre-auth Cmd Injection in Sophos Web Appliance <4.3.10.4 warn-proceed A pre-auth command injection vulnerability in the warn-proceed handler of Sophos Web Appliance older than version 4.3.10.4 allows execution of arbitrary code.	Web Appliance
CVE-2022-48310	Mar 01, 2023	Info Disclosure in Sophos Connect <2.2.90: Key Material in Support Archives An information disclosure vulnerability allows sensitive key material to be included in technical support archives in Sophos Connect versions older than 2.2.90.	Connect
CVE-2022-48309	Mar 01, 2023	CSRF in Sophos Connect prior 2.2.90 enables log & support archive download A CSRF vulnerability allows malicious websites to retrieve logs and technical support archives in Sophos Connect versions older than 2.2.90.	Connect
CVE-2022-4901	Mar 01, 2023	XSS in Sophos Connect 2.2.90+ to run JS via VPN config Multiple stored XSS vulnerabilities in Sophos Connect versions older than 2.2.90 allow Javascript code to run in the local UI via a malicious VPN configuration that must be manually loaded by the victim.	Connect
CVE-2022-3710	Dec 01, 2022	Sophos Firewall <19.5 GA: Post-Auth Read-Only SQLi in API Controller A post-auth read-only SQL injection vulnerability allows API clients to read non-sensitive configuration database contents in the API controller of Sophos Firewall releases older than version 19.5 GA.	Xg Firewall Firmware
CVE-2022-3226	Dec 01, 2022	Sophos Firewall <19.5 OS Command Injection via SSL VPN Config Upload An OS command injection vulnerability allows admins to execute code via SSL VPN configuration uploads in Sophos Firewall releases older than version 19.5 GA.	Xg Firewall Firmware
CVE-2022-3696	Dec 01, 2022	CVE-2022-3696: Webadmin Code Injection in Sophos Firewall <19.5 A post-auth code injection vulnerability allows admins to execute code in Webadmin of Sophos Firewall releases older than version 19.5 GA.	Xg Firewall Firmware
CVE-2022-3709	Dec 01, 2022	Stored XSS in Sophos Firewall Webadmin (pre19.5 GA) Admin SuperAdmin A stored XSS vulnerability allows admin to super-admin privilege escalation in the Webadmin import group wizard of Sophos Firewall releases older than version 19.5 GA.	Xg Firewall Firmware
CVE-2022-3713	Dec 01, 2022	Sophos Firewall <19.5 GA: Wifi Controller Code Injection CVE-2022-3713 A code injection vulnerability allows adjacent attackers to execute code in the Wifi controller of Sophos Firewall releases older than version 19.5 GA.	Xg Firewall Firmware
CVE-2022-3711	Dec 01, 2022	Post-auth Read-Only SQLi in Sophos Firewall <=19.5 GA's User Portal A post-auth read-only SQL injection vulnerability allows users to read non-sensitive configuration database contents in the User Portal of Sophos Firewall releases older than version 19.5 GA.	Xg Firewall Firmware
CVE-2022-3980	Nov 16, 2022	XEE SSRF/Code Exec in Sophos Mobile Managed (v5.0.09.7.4) An XML External Entity (XEE) vulnerability allows server-side request forgery (SSRF) and potential code execution in Sophos Mobile managed on-premises between versions 5.0.0 and 9.7.4.	Mobile
CVE-2022-3236	Sep 23, 2022	Code Injection in Sophos Firewall v19.0 MR1 and older User Portal/Webadmin A code injection vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v19.0 MR1 and older.	Firewall
CVE-2022-1807	Sep 07, 2022	SQLi in Sophos FW Webadmin (<=18.5 MR4/<=19.0 MR1) Priv Escal Multiple SQLi vulnerabilities in Webadmin allow for privilege escalation from admin to super-admin in Sophos Firewall older than version 18.5 MR4 and version 19.0 MR1.	Firewall
CVE-2021-25266	Apr 27, 2022	An insecure data storage vulnerability An insecure data storage vulnerability allows a physical attacker with root privileges to retrieve TOTP secret keys from unlocked phones in Sophos Authenticator for Android version 3.4 and older, and Intercept X for Mobile (Android) before version 9.7.3495.	Intercept X Authenticator
CVE-2022-0331	Mar 29, 2022	An information disclosure vulnerability in Webadmin An information disclosure vulnerability in Webadmin allows an unauthenticated remote attacker to read the device serial number in Sophos Firewall version v18.5 MR2 and older.	Sfos
CVE-2022-1040	Mar 25, 2022	An authentication bypass vulnerability in the User Portal and Webadmin An authentication bypass vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v18.5 MR3 and older.	Sfos Firewall
CVE-2022-0386	Mar 22, 2022	A post-auth SQL injection vulnerability in the Mail Manager potentially A post-auth SQL injection vulnerability in the Mail Manager potentially allows an authenticated attacker to execute code in Sophos UTM before version 9.710.	Unified Threat Management
CVE-2022-0652	Mar 22, 2022	Confd log files contain local users', including rootâs, SHA512crypt password hashes with insecure access permissions Confd log files contain local users', including rootâs, SHA512crypt password hashes with insecure access permissions. This allows a local attacker to attempt off-line brute-force attacks against these password hashes in Sophos UTM before version 9.710.	Unified Threat Management
CVE-2021-36809	Mar 08, 2022	A local attacker can overwrite arbitrary files on the system with VPN client logs using administrator privileges A local attacker can overwrite arbitrary files on the system with VPN client logs using administrator privileges, potentially resulting in a denial of service and data loss, in all versions of Sophos SSL VPN client.	Ssl Vpn Client
CVE-2021-36807	Nov 26, 2021	An authenticated user could potentially execute code An authenticated user could potentially execute code via an SQLi vulnerability in the user portal of SG UTM before version 9.708 MR8.	Unified Threat Management Up2date
CVE-2021-25269	Nov 26, 2021	A local administrator could prevent the HMPA service A local administrator could prevent the HMPA service from starting despite tamper protection using an unquoted service path vulnerability in the HMPA component of Sophos Intercept X Advanced and Sophos Intercept X Advanced for Server before version 2.0.23, as well as Sophos Exploit Prevention before version 3.8.3.	Exploit Prevention Intercept X Endpoint Intercept X For Server And others...
CVE-2021-36808	Oct 30, 2021	A local attacker could bypass the app password using a race condition in Sophos Secure Workspace for Android before version 9.7.3115. A local attacker could bypass the app password using a race condition in Sophos Secure Workspace for Android before version 9.7.3115.	Sophos Secure Workspace
CVE-2021-25270	Oct 08, 2021	A local attacker could execute arbitrary code with administrator privileges in HitmanPro.Alert before version Build 901. A local attacker could execute arbitrary code with administrator privileges in HitmanPro.Alert before version Build 901.	Hitmanpro Alert
CVE-2021-25271	Oct 08, 2021	A local attacker could read or write arbitrary files with administrator privileges in HitmanPro before version Build 318. A local attacker could read or write arbitrary files with administrator privileges in HitmanPro before version Build 318.	Hitmanpro
CVE-2021-25273	Jul 29, 2021	Stored XSS can execute as administrator in quarantined email detail view in Sophos UTM before version 9.706. Stored XSS can execute as administrator in quarantined email detail view in Sophos UTM before version 9.706.	Unified Threat Management
CVE-2021-25264	May 17, 2021	In multiple versions of Sophos Endpoint products for MacOS In multiple versions of Sophos Endpoint products for MacOS, a local attacker could execute arbitrary code with administrator privileges.	Home Intercept X
CVE-2020-29574	Dec 11, 2020	An SQL injection vulnerability in the WebAdmin of Cyberoam OS through 2020-12-04 An SQL injection vulnerability in the WebAdmin of Cyberoam OS through 2020-12-04 allows unauthenticated attackers to execute arbitrary SQL statements remotely.	Cyberoamos
CVE-2020-25223	Sep 25, 2020	A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM before v9.705 MR5 A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM before v9.705 MR5, v9.607 MR7, and v9.511 MR11	United Threat Management Unified Threat Management
CVE-2020-15069	Jun 29, 2020	Sophos XG Firewall 17.x through v17.5 MR12 Sophos XG Firewall 17.x through v17.5 MR12 allows a Buffer Overflow and remote code execution via the HTTP/S Bookmarks feature for clientless access. Hotfix HF062020.1 was published for all firewalls running v17.x.	Xg Firewall Firmware
CVE-2020-14980	Jun 22, 2020	The Sophos Secure Email application through 3.9.4 for Android has Missing SSL Certificate Validation. The Sophos Secure Email application through 3.9.4 for Android has Missing SSL Certificate Validation.	Sophos Secure Email
CVE-2020-12271	Apr 27, 2020	A SQL injection issue was found in SFOS 17.0 A SQL injection issue was found in SFOS 17.0, 17.1, 17.5, and 18.0 before 2020-04-25 on Sophos XG Firewall devices, as exploited in the wild in April 2020. This affected devices configured with either the administration (HTTPS) service or the User Portal exposed on the WAN zone. A successful attack may have caused remote code execution that exfiltrated usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access (but not external Active Directory or LDAP passwords)	Sfos
CVE-2020-10947	Apr 17, 2020	Mac Endpoint for Sophos Central before 9.9.6 and Mac Endpoint for Sophos Home before 2.2.6 Mac Endpoint for Sophos Central before 9.9.6 and Mac Endpoint for Sophos Home before 2.2.6 allow Privilege Escalation.	Anti Virus For Sophos Central Anti Virus For Sophos Home
CVE-2020-9540	Mar 02, 2020	Sophos HitmanPro.Alert before build 861 Sophos HitmanPro.Alert before build 861 allows local elevation of privilege.	Hitmanpro Alert
CVE-2020-9363	Feb 24, 2020	The Sophos AV parsing engine before 2020-01-14 allows virus-detection bypass via a crafted ZIP archive The Sophos AV parsing engine before 2020-01-14 allows virus-detection bypass via a crafted ZIP archive. This affects Endpoint Protection, Cloud Optix, Mobile, Intercept X Endpoint, Intercept X for Server, and Secure Web Gateway. NOTE: the vendor feels that this does not apply to endpoint-protection products because the virus would be detected upon extraction.	Cloud Optix Endpoint Protection Intercept X Endpoint And others...
CVE-2018-3971	Oct 25, 2018	An exploitable arbitrary write vulnerability exists in the 0x2222CC IOCTL handler functionality of Sophos HitmanPro.Alert 3.7.6.744 An exploitable arbitrary write vulnerability exists in the 0x2222CC IOCTL handler functionality of Sophos HitmanPro.Alert 3.7.6.744. A specially crafted IRP request can cause the driver to write data under controlled by an attacker address, resulting in memory corruption. An attacker can send IRP request to trigger this vulnerability.	Hitmanpro Alert
CVE-2018-3970	Oct 25, 2018	An exploitable memory disclosure vulnerability exists in the 0x222000 IOCTL handler functionality of Sophos HitmanPro.Alert 3.7.6.744 An exploitable memory disclosure vulnerability exists in the 0x222000 IOCTL handler functionality of Sophos HitmanPro.Alert 3.7.6.744. A specially crafted IRP request can cause the driver to return uninitialized memory, resulting in kernel memory disclosure. An attacker can send an IRP request to trigger this vulnerability.	Hitmanpro Alert
CVE-2018-6851	Jul 09, 2018	Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation via IOCTL 0x80206040. By crafting an input buffer we can control the execution path to the point where the constant DWORD 0 will be written to a user-controlled address. We can take advantage of this condition to zero-out the pointer to the security descriptor in the object header of a privileged process or modify the security descriptor itself and run code in the context of a process running as SYSTEM.	Safeguard Easy Device Encryption Client Safeguard Enterprise Client Safeguard Lan Crypt Client And others...
CVE-2018-6852	Jul 09, 2018	Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation via IOCTL 0x80202298. By crafting an input buffer we can control the execution path to the point where the nt!memset function is called to zero out contents of a user-controlled address. We can take advantage of this condition to zero-out the pointer to the security descriptor in the object header of a privileged process or modify the security descriptor itself and run code in the context of a process running as SYSTEM.	Safeguard Easy Device Encryption Client Safeguard Enterprise Client Safeguard Lan Crypt Client And others...
CVE-2018-6853	Jul 09, 2018	Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation via IOCTL 0x80206024. By crafting an input buffer we can control the execution path to the point where a global variable will be written to a user controlled address. We can take advantage of this condition to zero-out the pointer to the security descriptor in the object header of a privileged process or modify the security descriptor itself and run code in the context of a process running as SYSTEM.	Safeguard Easy Device Encryption Client Safeguard Enterprise Client Safeguard Lan Crypt Client And others...
CVE-2018-6854	Jul 09, 2018	Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation via multiple IOCTLs, e.g., 0x8810200B, 0x8810200F, 0x8810201B, 0x8810201F, 0x8810202B, 0x8810202F, 0x8810203F, 0x8810204B, 0x88102003, 0x88102007, 0x88102013, 0x88102017, 0x88102027, 0x88102033, 0x88102037, 0x88102043, and 0x88102047. When some conditions in the user-controlled input buffer are not met, the driver writes an error code (0x2000001A) to a user-controlled address. Also, note that all the aforementioned IOCTLs use transfer type METHOD_NEITHER, which means that the I/O manager does not validate any of the supplied pointers and buffer sizes. So, even though the driver checks for input/output buffer sizes, it doesn't validate if the pointers to those buffers are actually valid. So, we can supply a pointer for the output buffer to a kernel address space address, and the error code will be written there. We can take advantage of this condition to modify the SEP_TOKEN_PRIVILEGES structure of the Token object belonging to the exploit process and grant SE_DEBUG_NAME privilege. This allows the exploit process to interact with higher privileged processes running as SYSTEM and execute code in their security context.	Safeguard Easy Device Encryption Client Safeguard Enterprise Client Safeguard Lan Crypt Client And others...