Lucene search
K

Sophos XG Firewall <= 17.5.12 RCE

🗓️ 16 Jul 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 13 Views

Sophos XG Firewall ≤ 17.5.12 may have a remote code execution vulnerability via HTTP/S Bookmarks feature

Related
Refs
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2020-15069
29 Jun 202000:00
attackerkb
Circl
CVE-2020-15069
6 Feb 202517:21
circl
CISA KEV Catalog
Sophos XG Firewall Buffer Overflow Vulnerability
6 Feb 202500:00
cisa_kev
CISA
CISA Adds Five Known Exploited Vulnerabilities to Catalog
6 Feb 202512:00
cisa
CVE
CVE-2020-15069
29 Jun 202017:30
cve
Cvelist
CVE-2020-15069
29 Jun 202017:30
cvelist
NVD
CVE-2020-15069
29 Jun 202018:15
nvd
OSV
CVE-2020-15069
29 Jun 202018:15
osv
Prion
Buffer overflow
29 Jun 202018:15
prion
Positive Technologies
PT-2020-14161 · Sophos · Sophos Firewall
29 Jun 202000:00
ptsecurity
Rows per page
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(242169);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/07/17");

  script_cve_id("CVE-2020-15069");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2025/02/27");

  script_name(english:"Sophos XG Firewall <= 17.5.12 RCE");

  script_set_attribute(attribute:"synopsis", value:
"The remote Sophos XG Firewall may be affected by a remote code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"Sophos XG Firewall 17.x through v17.5 MR12 allows a Buffer Overflow and remote code execution via the HTTP/S Bookmarks
feature for clientless access. Hotfix HF062020.1 was published for all firewalls running v17.x.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://community.sophos.com/b/security-blog/posts/advisory-buffer-overflow-vulnerability-in-user-portal
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2e882ea0");
  script_set_attribute(attribute:"solution", value:
"Apply Hotfix HF062020.1 or upgrade to SFOS v18");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-15069");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/06/29");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/06/29");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/07/16");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:sophos:xg_firewall_firmware");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Firewalls");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("sophos_xg_firewall_detect.nbin");
  script_require_keys("installed_sw/Sophos XG Firewall", "Settings/ParanoidReport");

  exit(0);
}

include('vcf.inc');
include('http.inc');

var app_name = 'Sophos XG Firewall';
var port = get_http_port(default:443);
var app_info = vcf::get_app_info(app:app_name, port:port, webapp:TRUE);

# Not checking hotfixes
if (report_paranoia < 2)
  audit(AUDIT_PARANOID);

var constraints = [
  {'max_version' : '17.5.12.99999', 'fixed_display' : 'Apply Hotfix HF062020.1 or upgrade to SFOS v18'}
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

17 Jul 2025 00:00Current
9.1High risk
Vulners AI Score9.1
CVSS 27.5
CVSS 3.19.8
EPSS0.10674
SSVC
13