Sophos

A code injection vulnerability in the Debian package component of Taegis Endpoint Agent (Linux) versions older than 1.3.10

CVE-2024-13861 7.8 - High - April 11, 2025

A code injection vulnerability in the Debian package component of Taegis Endpoint Agent (Linux) versions older than 1.3.10 allows local users arbitrary code execution as root. Redhat-based systems using RPM packages are not affected.

Code Injection

Sophos Firewall User Portal Remote Code Execution Vulnerability

CVE-2024-12729 - December 19, 2024

A post-auth code injection vulnerability in the User Portal allows authenticated users to execute code remotely in Sophos Firewall older than version 21.0 MR1 (21.0.1).

Sophos Firewall SQL Injection Vulnerability in Email Protection Feature

CVE-2024-12727 - December 19, 2024

A pre-auth SQL injection vulnerability in the email protection feature of Sophos Firewall versions older than 21.0 MR1 (21.0.1) allows access to the reporting database and can lead to remote code execution if a specific configuration of Secure PDF eXchange (SPX) is enabled in combination with the firewall running in High Availability (HA) mode.

A reflected XSS vulnerability

CVE-2021-36806 6.1 - Medium - November 30, 2023

A reflected XSS vulnerability allows an open redirect when the victim clicks a malicious link to an error page on Sophos Email Appliance older than version 4.5.3.4.

XSS

A password disclosure vulnerability in the Secure PDF eXchange (SPX) feature

CVE-2023-5552 7.5 - High - October 18, 2023

A password disclosure vulnerability in the Secure PDF eXchange (SPX) feature allows attackers with full email access to decrypt PDFs in Sophos Firewall version 19.5 MR3 (19.5.3) and older, if the password type is set to Specified by sender.

Insufficiently Protected Credentials

Cross Site Scripting (XSS) in Sophos Sophos iView (The EOL was December 31st 2020) in grpname parameter

CVE-2023-33335 6.1 - Medium - July 05, 2023

Cross Site Scripting (XSS) in Sophos Sophos iView (The EOL was December 31st 2020) in grpname parameter that allows arbitrary script to be executed.

XSS

Reflected cross site scripting (XSS) vulnerability was discovered in Sophos Web Appliance v4.3.9.1

CVE-2023-33336 4.8 - Medium - June 30, 2023

Reflected cross site scripting (XSS) vulnerability was discovered in Sophos Web Appliance v4.3.9.1 that allows for arbitrary code to be inputted via the double quotes.

XSS

A post-auth command injection vulnerability in the exception wizard of Sophos Web Appliance older than version 4.3.10.4

CVE-2022-4934 7.2 - High - April 04, 2023

A post-auth command injection vulnerability in the exception wizard of Sophos Web Appliance older than version 4.3.10.4 allows administrators to execute arbitrary code.

Command Injection

A reflected XSS via POST vulnerability in report scheduler of Sophos Web Appliance versions older than 4.3.10.4 allows execution of JavaScript code in the victim browser via a malicious form

CVE-2020-36692 5.4 - Medium - April 04, 2023

A reflected XSS via POST vulnerability in report scheduler of Sophos Web Appliance versions older than 4.3.10.4 allows execution of JavaScript code in the victim browser via a malicious form that must be manually submitted by the victim while logged in to SWA.

XSS

A pre-auth command injection vulnerability in the warn-proceed handler of Sophos Web Appliance older than version 4.3.10.4

CVE-2023-1671 9.8 - Critical - April 04, 2023

A pre-auth command injection vulnerability in the warn-proceed handler of Sophos Web Appliance older than version 4.3.10.4 allows execution of arbitrary code.

Command Injection

An information disclosure vulnerability

CVE-2022-48310 5.5 - Medium - March 01, 2023

An information disclosure vulnerability allows sensitive key material to be included in technical support archives in Sophos Connect versions older than 2.2.90.

Cleartext Storage of Sensitive Information

A CSRF vulnerability

CVE-2022-48309 4.3 - Medium - March 01, 2023

A CSRF vulnerability allows malicious websites to retrieve logs and technical support archives in Sophos Connect versions older than 2.2.90.

Session Riding

Multiple stored XSS vulnerabilities in Sophos Connect versions older than 2.2.90 allow Javascript code to run in the local UI via a malicious VPN configuration

CVE-2022-4901 6.1 - Medium - March 01, 2023

Multiple stored XSS vulnerabilities in Sophos Connect versions older than 2.2.90 allow Javascript code to run in the local UI via a malicious VPN configuration that must be manually loaded by the victim.

XSS

A post-auth read-only SQL injection vulnerability

CVE-2022-3710 2.7 - Low - December 01, 2022

A post-auth read-only SQL injection vulnerability allows API clients to read non-sensitive configuration database contents in the API controller of Sophos Firewall releases older than version 19.5 GA.

SQL Injection

An OS command injection vulnerability

CVE-2022-3226 7.2 - High - December 01, 2022

An OS command injection vulnerability allows admins to execute code via SSL VPN configuration uploads in Sophos Firewall releases older than version 19.5 GA.

Shell injection

A post-auth code injection vulnerability

CVE-2022-3696 7.2 - High - December 01, 2022

A post-auth code injection vulnerability allows admins to execute code in Webadmin of Sophos Firewall releases older than version 19.5 GA.

Code Injection

A stored XSS vulnerability

CVE-2022-3709 8.4 - High - December 01, 2022

A stored XSS vulnerability allows admin to super-admin privilege escalation in the Webadmin import group wizard of Sophos Firewall releases older than version 19.5 GA.

XSS

A code injection vulnerability

CVE-2022-3713 8.8 - High - December 01, 2022

A code injection vulnerability allows adjacent attackers to execute code in the Wifi controller of Sophos Firewall releases older than version 19.5 GA.

Code Injection

A post-auth read-only SQL injection vulnerability

CVE-2022-3711 4.3 - Medium - December 01, 2022

A post-auth read-only SQL injection vulnerability allows users to read non-sensitive configuration database contents in the User Portal of Sophos Firewall releases older than version 19.5 GA.

SQL Injection

An XML External Entity (XEE) vulnerability

CVE-2022-3980 9.8 - Critical - November 16, 2022

An XML External Entity (XEE) vulnerability allows server-side request forgery (SSRF) and potential code execution in Sophos Mobile managed on-premises between versions 5.0.0 and 9.7.4.

XXE

A code injection vulnerability in the User Portal and Webadmin

CVE-2022-3236 9.8 - Critical - September 23, 2022

A code injection vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v19.0 MR1 and older.

Code Injection

Multiple SQLi vulnerabilities in Webadmin

CVE-2022-1807 7.2 - High - September 07, 2022

Multiple SQLi vulnerabilities in Webadmin allow for privilege escalation from admin to super-admin in Sophos Firewall older than version 18.5 MR4 and version 19.0 MR1.

SQL Injection

An insecure data storage vulnerability

CVE-2021-25266 3.9 - Low - April 27, 2022

An insecure data storage vulnerability allows a physical attacker with root privileges to retrieve TOTP secret keys from unlocked phones in Sophos Authenticator for Android version 3.4 and older, and Intercept X for Mobile (Android) before version 9.7.3495.

Insecure Storage of Sensitive Information

An information disclosure vulnerability in Webadmin

CVE-2022-0331 5.3 - Medium - March 29, 2022

An information disclosure vulnerability in Webadmin allows an unauthenticated remote attacker to read the device serial number in Sophos Firewall version v18.5 MR2 and older.

An authentication bypass vulnerability in the User Portal and Webadmin

CVE-2022-1040 9.8 - Critical - March 25, 2022

An authentication bypass vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v18.5 MR3 and older.

Confd log files contain local users', including rootâs, SHA512crypt password hashes with insecure access permissions

CVE-2022-0652 7.8 - High - March 22, 2022

Confd log files contain local users', including rootâs, SHA512crypt password hashes with insecure access permissions. This allows a local attacker to attempt off-line brute-force attacks against these password hashes in Sophos UTM before version 9.710.

Insertion of Sensitive Information into Log File

A post-auth SQL injection vulnerability in the Mail Manager potentially

CVE-2022-0386 8.8 - High - March 22, 2022

A post-auth SQL injection vulnerability in the Mail Manager potentially allows an authenticated attacker to execute code in Sophos UTM before version 9.710.

SQL Injection

A local attacker can overwrite arbitrary files on the system with VPN client logs using administrator privileges

CVE-2021-36809 6 - Medium - March 08, 2022

A local attacker can overwrite arbitrary files on the system with VPN client logs using administrator privileges, potentially resulting in a denial of service and data loss, in all versions of Sophos SSL VPN client.

An authenticated user could potentially execute code

CVE-2021-36807 8.8 - High - November 26, 2021

An authenticated user could potentially execute code via an SQLi vulnerability in the user portal of SG UTM before version 9.708 MR8.

SQL Injection

A local administrator could prevent the HMPA service

CVE-2021-25269 4.4 - Medium - November 26, 2021

A local administrator could prevent the HMPA service from starting despite tamper protection using an unquoted service path vulnerability in the HMPA component of Sophos Intercept X Advanced and Sophos Intercept X Advanced for Server before version 2.0.23, as well as Sophos Exploit Prevention before version 3.8.3.

Unquoted Search Path or Element

A local attacker could bypass the app password using a race condition in Sophos Secure Workspace for Android before version 9.7.3115.

CVE-2021-36808 7 - High - October 30, 2021

A local attacker could bypass the app password using a race condition in Sophos Secure Workspace for Android before version 9.7.3115.

Race Condition

A local attacker could read or write arbitrary files with administrator privileges in HitmanPro before version Build 318.

CVE-2021-25271 6 - Medium - October 08, 2021

A local attacker could read or write arbitrary files with administrator privileges in HitmanPro before version Build 318.

A local attacker could execute arbitrary code with administrator privileges in HitmanPro.Alert before version Build 901.

CVE-2021-25270 6.7 - Medium - October 08, 2021

A local attacker could execute arbitrary code with administrator privileges in HitmanPro.Alert before version Build 901.

Stored XSS can execute as administrator in quarantined email detail view in Sophos UTM before version 9.706.

CVE-2021-25273 4.8 - Medium - July 29, 2021

Stored XSS can execute as administrator in quarantined email detail view in Sophos UTM before version 9.706.

XSS

In multiple versions of Sophos Endpoint products for MacOS

CVE-2021-25264 6.7 - Medium - May 17, 2021

In multiple versions of Sophos Endpoint products for MacOS, a local attacker could execute arbitrary code with administrator privileges.

An SQL injection vulnerability in the WebAdmin of Cyberoam OS through 2020-12-04

CVE-2020-29574 9.8 - Critical - December 11, 2020

An SQL injection vulnerability in the WebAdmin of Cyberoam OS through 2020-12-04 allows unauthenticated attackers to execute arbitrary SQL statements remotely.

SQL Injection

A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM before v9.705 MR5

CVE-2020-25223 9.8 - Critical - September 25, 2020

A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM before v9.705 MR5, v9.607 MR7, and v9.511 MR11

Shell injection

Sophos XG Firewall 17.x through v17.5 MR12

CVE-2020-15069 9.8 - Critical - June 29, 2020

Sophos XG Firewall 17.x through v17.5 MR12 allows a Buffer Overflow and remote code execution via the HTTP/S Bookmarks feature for clientless access. Hotfix HF062020.1 was published for all firewalls running v17.x.

Classic Buffer Overflow

The Sophos Secure Email application through 3.9.4 for Android has Missing SSL Certificate Validation.

CVE-2020-14980 5.9 - Medium - June 22, 2020

The Sophos Secure Email application through 3.9.4 for Android has Missing SSL Certificate Validation.

Improper Certificate Validation

A SQL injection issue was found in SFOS 17.0

CVE-2020-12271 9.8 - Critical - April 27, 2020

A SQL injection issue was found in SFOS 17.0, 17.1, 17.5, and 18.0 before 2020-04-25 on Sophos XG Firewall devices, as exploited in the wild in April 2020. This affected devices configured with either the administration (HTTPS) service or the User Portal exposed on the WAN zone. A successful attack may have caused remote code execution that exfiltrated usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access (but not external Active Directory or LDAP passwords)

SQL Injection

Mac Endpoint for Sophos Central before 9.9.6 and Mac Endpoint for Sophos Home before 2.2.6

CVE-2020-10947 8.8 - High - April 17, 2020

Mac Endpoint for Sophos Central before 9.9.6 and Mac Endpoint for Sophos Home before 2.2.6 allow Privilege Escalation.

Improper Privilege Management

Sophos HitmanPro.Alert before build 861

CVE-2020-9540 7.8 - High - March 02, 2020

Sophos HitmanPro.Alert before build 861 allows local elevation of privilege.

Improper Privilege Management

The Sophos AV parsing engine before 2020-01-14 allows virus-detection bypass via a crafted ZIP archive

CVE-2020-9363 7.8 - High - February 24, 2020

The Sophos AV parsing engine before 2020-01-14 allows virus-detection bypass via a crafted ZIP archive. This affects Endpoint Protection, Cloud Optix, Mobile, Intercept X Endpoint, Intercept X for Server, and Secure Web Gateway. NOTE: the vendor feels that this does not apply to endpoint-protection products because the virus would be detected upon extraction.

Interpretation Conflict

An exploitable arbitrary write vulnerability exists in the 0x2222CC IOCTL handler functionality of Sophos HitmanPro.Alert 3.7.6.744

CVE-2018-3971 7.8 - High - October 25, 2018

An exploitable arbitrary write vulnerability exists in the 0x2222CC IOCTL handler functionality of Sophos HitmanPro.Alert 3.7.6.744. A specially crafted IRP request can cause the driver to write data under controlled by an attacker address, resulting in memory corruption. An attacker can send IRP request to trigger this vulnerability.

Write-what-where Condition

An exploitable memory disclosure vulnerability exists in the 0x222000 IOCTL handler functionality of Sophos HitmanPro.Alert 3.7.6.744

CVE-2018-3970 5.5 - Medium - October 25, 2018

An exploitable memory disclosure vulnerability exists in the 0x222000 IOCTL handler functionality of Sophos HitmanPro.Alert 3.7.6.744. A specially crafted IRP request can cause the driver to return uninitialized memory, resulting in kernel memory disclosure. An attacker can send an IRP request to trigger this vulnerability.

Use of Uninitialized Resource

Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation

CVE-2018-6857 7.8 - High - July 09, 2018

Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation via IOCTL 0x802022E0. By crafting an input buffer we can control the execution path to the point where the constant 0x12 will be written to a user-controlled address. We can take advantage of this condition to modify the SEP_TOKEN_PRIVILEGES structure of the Token object belonging to the exploit process and grant SE_DEBUG_NAME privilege. This allows the exploit process to interact with higher privileged processes running as SYSTEM and execute code in their security context.

Buffer Overflow

Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation

CVE-2018-6853 7.8 - High - July 09, 2018

Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation via IOCTL 0x80206024. By crafting an input buffer we can control the execution path to the point where a global variable will be written to a user controlled address. We can take advantage of this condition to zero-out the pointer to the security descriptor in the object header of a privileged process or modify the security descriptor itself and run code in the context of a process running as SYSTEM.

Buffer Overflow

Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation

CVE-2018-6854 7.8 - High - July 09, 2018

Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation via multiple IOCTLs, e.g., 0x8810200B, 0x8810200F, 0x8810201B, 0x8810201F, 0x8810202B, 0x8810202F, 0x8810203F, 0x8810204B, 0x88102003, 0x88102007, 0x88102013, 0x88102017, 0x88102027, 0x88102033, 0x88102037, 0x88102043, and 0x88102047. When some conditions in the user-controlled input buffer are not met, the driver writes an error code (0x2000001A) to a user-controlled address. Also, note that all the aforementioned IOCTLs use transfer type METHOD_NEITHER, which means that the I/O manager does not validate any of the supplied pointers and buffer sizes. So, even though the driver checks for input/output buffer sizes, it doesn't validate if the pointers to those buffers are actually valid. So, we can supply a pointer for the output buffer to a kernel address space address, and the error code will be written there. We can take advantage of this condition to modify the SEP_TOKEN_PRIVILEGES structure of the Token object belonging to the exploit process and grant SE_DEBUG_NAME privilege. This allows the exploit process to interact with higher privileged processes running as SYSTEM and execute code in their security context.

Buffer Overflow

Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation

CVE-2018-6855 7.8 - High - July 09, 2018

Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation via IOCTL 0x80202014. By crafting an input buffer we can control the execution path to the point where the constant 0xFFFFFFF will be written to a user-controlled address. We can take advantage of this condition to modify the SEP_TOKEN_PRIVILEGES structure of the Token object belonging to the exploit process and grant SE_DEBUG_NAME privilege. This allows the exploit process to interact with higher privileged processes running as SYSTEM and execute code in their security context.

Buffer Overflow

Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation

CVE-2018-6852 7.8 - High - July 09, 2018

Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation via IOCTL 0x80202298. By crafting an input buffer we can control the execution path to the point where the nt!memset function is called to zero out contents of a user-controlled address. We can take advantage of this condition to zero-out the pointer to the security descriptor in the object header of a privileged process or modify the security descriptor itself and run code in the context of a process running as SYSTEM.

Buffer Overflow