| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2022-48310 |
312 |
|
|
2023-03-01 |
2023-03-09 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An information disclosure vulnerability allows sensitive key material to be included in technical support archives in Sophos Connect versions older than 2.2.90. |
|
2 |
CVE-2022-48309 |
352 |
|
CSRF |
2023-03-01 |
2023-03-09 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A CSRF vulnerability allows malicious websites to retrieve logs and technical support archives in Sophos Connect versions older than 2.2.90. |
|
3 |
CVE-2022-4901 |
79 |
|
XSS |
2023-03-01 |
2023-03-09 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Multiple stored XSS vulnerabilities in Sophos Connect versions older than 2.2.90 allow Javascript code to run in the local UI via a malicious VPN configuration that must be manually loaded by the victim. |
|
4 |
CVE-2022-3980 |
611 |
|
Exec Code |
2022-11-16 |
2022-11-18 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An XML External Entity (XEE) vulnerability allows server-side request forgery (SSRF) and potential code execution in Sophos Mobile managed on-premises between versions 5.0.0 and 9.7.4. |
|
5 |
CVE-2022-3236 |
74 |
|
Exec Code |
2022-09-23 |
2022-09-28 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A code injection vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v19.0 MR1 and older. |
|
6 |
CVE-2022-1807 |
89 |
|
Sql |
2022-09-07 |
2022-09-12 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Multiple SQLi vulnerabilities in Webadmin allow for privilege escalation from admin to super-admin in Sophos Firewall older than version 18.5 MR4 and version 19.0 MR1. |
|
7 |
CVE-2022-1040 |
287 |
|
Exec Code Bypass |
2022-03-25 |
2022-10-27 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
An authentication bypass vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v18.5 MR3 and older. |
|
8 |
CVE-2022-0652 |
307 |
|
|
2022-03-22 |
2022-03-28 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Confd log files contain local users', including root’s, SHA512crypt password hashes with insecure access permissions. This allows a local attacker to attempt off-line brute-force attacks against these password hashes in Sophos UTM before version 9.710. |
|
9 |
CVE-2022-0386 |
89 |
|
Exec Code Sql |
2022-03-22 |
2022-03-28 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
A post-auth SQL injection vulnerability in the Mail Manager potentially allows an authenticated attacker to execute code in Sophos UTM before version 9.710. |
|
10 |
CVE-2022-0331 |
200 |
|
+Info |
2022-03-29 |
2022-04-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An information disclosure vulnerability in Webadmin allows an unauthenticated remote attacker to read the device serial number in Sophos Firewall version v18.5 MR2 and older. |
|
11 |
CVE-2021-36809 |
|
|
DoS |
2022-03-08 |
2022-07-12 |
3.6 |
None |
Local |
Low |
Not required |
None |
Partial |
Partial |
|
A local attacker can overwrite arbitrary files on the system with VPN client logs using administrator privileges, potentially resulting in a denial of service and data loss, in all versions of Sophos SSL VPN client. |
|
12 |
CVE-2021-36808 |
362 |
|
Bypass |
2021-10-30 |
2021-11-29 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
A local attacker could bypass the app password using a race condition in Sophos Secure Workspace for Android before version 9.7.3115. |
|
13 |
CVE-2021-36807 |
89 |
|
Exec Code Sql |
2021-11-26 |
2021-11-30 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
An authenticated user could potentially execute code via an SQLi vulnerability in the user portal of SG UTM before version 9.708 MR8. |
|
14 |
CVE-2021-25273 |
79 |
|
XSS |
2021-07-29 |
2021-12-16 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Stored XSS can execute as administrator in quarantined email detail view in Sophos UTM before version 9.706. |
|
15 |
CVE-2021-25271 |
|
|
|
2021-10-08 |
2022-05-03 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
None |
|
A local attacker could read or write arbitrary files with administrator privileges in HitmanPro before version Build 318. |
|
16 |
CVE-2021-25270 |
|
|
Exec Code |
2021-10-08 |
2022-05-03 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
A local attacker could execute arbitrary code with administrator privileges in HitmanPro.Alert before version Build 901. |
|
17 |
CVE-2021-25269 |
428 |
|
|
2021-11-26 |
2021-12-03 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
A local administrator could prevent the HMPA service from starting despite tamper protection using an unquoted service path vulnerability in the HMPA component of Sophos Intercept X Advanced and Sophos Intercept X Advanced for Server before version 2.0.23, as well as Sophos Exploit Prevention before version 3.8.3. |
|
18 |
CVE-2021-25266 |
922 |
|
|
2022-04-27 |
2022-05-06 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An insecure data storage vulnerability allows a physical attacker with root privileges to retrieve TOTP secret keys from unlocked phones in Sophos Authenticator for Android version 3.4 and older, and Intercept X for Mobile (Android) before version 9.7.3495. |
|
19 |
CVE-2021-25264 |
|
|
Exec Code |
2021-05-17 |
2022-07-12 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
In multiple versions of Sophos Endpoint products for MacOS, a local attacker could execute arbitrary code with administrator privileges. |
|
20 |
CVE-2020-29574 |
89 |
|
Sql |
2020-12-11 |
2020-12-14 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
An SQL injection vulnerability in the WebAdmin of Cyberoam OS through 2020-12-04 allows unauthenticated attackers to execute arbitrary SQL statements remotely. |
|
21 |
CVE-2020-25223 |
78 |
|
Exec Code |
2020-09-25 |
2022-10-05 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM before v9.705 MR5, v9.607 MR7, and v9.511 MR11 |
|
22 |
CVE-2020-17352 |
78 |
|
Exec Code |
2020-08-07 |
2020-08-12 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Two OS command injection vulnerabilities in the User Portal of Sophos XG Firewall through 2020-08-05 potentially allow an authenticated attacker to remotely execute arbitrary code. |
|
23 |
CVE-2020-15504 |
89 |
|
Sql |
2020-07-10 |
2020-07-14 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
A SQL injection vulnerability in the user and admin web interfaces of Sophos XG Firewall v18.0 MR1 and older potentially allows an attacker to run arbitrary code remotely. The fix is built into the re-release of XG Firewall v18 MR-1 (named MR-1-Build396) and the v17.5 MR13 release. All other versions >= 17.0 have received a hotfix. |
|
24 |
CVE-2020-14980 |
295 |
|
|
2020-06-22 |
2023-01-27 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The Sophos Secure Email application through 3.9.4 for Android has Missing SSL Certificate Validation. |
|
25 |
CVE-2020-10947 |
269 |
|
|
2020-04-17 |
2021-07-21 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Mac Endpoint for Sophos Central before 9.9.6 and Mac Endpoint for Sophos Home before 2.2.6 allow Privilege Escalation. |
|
26 |
CVE-2020-9540 |
269 |
|
|
2020-03-02 |
2021-07-21 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Sophos HitmanPro.Alert before build 861 allows local elevation of privilege. |
|
27 |
CVE-2020-9363 |
436 |
|
Bypass |
2020-02-24 |
2022-04-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The Sophos AV parsing engine before 2020-01-14 allows virus-detection bypass via a crafted ZIP archive. This affects Endpoint Protection, Cloud Optix, Mobile, Intercept X Endpoint, Intercept X for Server, and Secure Web Gateway. NOTE: the vendor feels that this does not apply to endpoint-protection products because the virus would be detected upon extraction. |
|
28 |
CVE-2018-9233 |
916 |
|
|
2018-04-05 |
2019-10-03 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Sophos Endpoint Protection 10.7 uses an unsalted SHA-1 hash for password storage in %PROGRAMDATA%\Sophos\Sophos Anti-Virus\Config\machine.xml, which makes it easier for attackers to determine a cleartext password, and subsequently choose unsafe malware settings, via rainbow tables or other approaches. |
|
29 |
CVE-2018-6857 |
119 |
|
Exec Code Overflow |
2018-07-09 |
2019-10-03 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation via IOCTL 0x802022E0. By crafting an input buffer we can control the execution path to the point where the constant 0x12 will be written to a user-controlled address. We can take advantage of this condition to modify the SEP_TOKEN_PRIVILEGES structure of the Token object belonging to the exploit process and grant SE_DEBUG_NAME privilege. This allows the exploit process to interact with higher privileged processes running as SYSTEM and execute code in their security context. |
|
30 |
CVE-2018-6856 |
119 |
|
Exec Code Overflow |
2018-07-09 |
2019-10-03 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation via IOCTL 0x8020601C. By crafting an input buffer we can control the execution path to the point where a global variable will be written to a user controlled address. We can take advantage of this condition to zero-out the pointer to the security descriptor in the object header of a privileged process or modify the security descriptor itself and run code in the context of a process running as SYSTEM. |
|
31 |
CVE-2018-6855 |
119 |
|
Exec Code Overflow |
2018-07-09 |
2019-10-03 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation via IOCTL 0x80202014. By crafting an input buffer we can control the execution path to the point where the constant 0xFFFFFFF will be written to a user-controlled address. We can take advantage of this condition to modify the SEP_TOKEN_PRIVILEGES structure of the Token object belonging to the exploit process and grant SE_DEBUG_NAME privilege. This allows the exploit process to interact with higher privileged processes running as SYSTEM and execute code in their security context. |
|
32 |
CVE-2018-6854 |
119 |
|
Exec Code Overflow |
2018-07-09 |
2019-10-03 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation via multiple IOCTLs, e.g., 0x8810200B, 0x8810200F, 0x8810201B, 0x8810201F, 0x8810202B, 0x8810202F, 0x8810203F, 0x8810204B, 0x88102003, 0x88102007, 0x88102013, 0x88102017, 0x88102027, 0x88102033, 0x88102037, 0x88102043, and 0x88102047. When some conditions in the user-controlled input buffer are not met, the driver writes an error code (0x2000001A) to a user-controlled address. Also, note that all the aforementioned IOCTLs use transfer type METHOD_NEITHER, which means that the I/O manager does not validate any of the supplied pointers and buffer sizes. So, even though the driver checks for input/output buffer sizes, it doesn't validate if the pointers to those buffers are actually valid. So, we can supply a pointer for the output buffer to a kernel address space address, and the error code will be written there. We can take advantage of this condition to modify the SEP_TOKEN_PRIVILEGES structure of the Token object belonging to the exploit process and grant SE_DEBUG_NAME privilege. This allows the exploit process to interact with higher privileged processes running as SYSTEM and execute code in their security context. |
|
33 |
CVE-2018-6853 |
119 |
|
Exec Code Overflow |
2018-07-09 |
2019-10-03 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation via IOCTL 0x80206024. By crafting an input buffer we can control the execution path to the point where a global variable will be written to a user controlled address. We can take advantage of this condition to zero-out the pointer to the security descriptor in the object header of a privileged process or modify the security descriptor itself and run code in the context of a process running as SYSTEM. |
|
34 |
CVE-2018-6852 |
119 |
|
Exec Code Overflow |
2018-07-09 |
2019-10-03 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation via IOCTL 0x80202298. By crafting an input buffer we can control the execution path to the point where the nt!memset function is called to zero out contents of a user-controlled address. We can take advantage of this condition to zero-out the pointer to the security descriptor in the object header of a privileged process or modify the security descriptor itself and run code in the context of a process running as SYSTEM. |
|
35 |
CVE-2018-6851 |
119 |
|
Exec Code Overflow |
2018-07-09 |
2019-10-03 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation via IOCTL 0x80206040. By crafting an input buffer we can control the execution path to the point where the constant DWORD 0 will be written to a user-controlled address. We can take advantage of this condition to zero-out the pointer to the security descriptor in the object header of a privileged process or modify the security descriptor itself and run code in the context of a process running as SYSTEM. |
|
36 |
CVE-2018-6319 |
476 |
|
DoS |
2018-02-02 |
2019-10-03 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
In Sophos Tester Tool 3.2.0.7 Beta, the driver accepts a special DeviceIoControl code that doesn't check its argument. This argument is a memory address: if a caller passes a NULL pointer or a random invalid address, the driver will cause a Blue Screen of Death. If a program or malware does this at boot time, it can cause a persistent denial of service on the machine. |
|
37 |
CVE-2018-6318 |
426 |
|
|
2018-02-02 |
2018-02-15 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
In Sophos Tester Tool 3.2.0.7 Beta, the driver loads (in the context of the application used to test an exploit or ransomware) the DLL using a payload that runs from NTDLL.DLL (so, it's run in userland), but the driver doesn't perform any validation of this DLL (not its signature, not its hash, etc.). A person can change this DLL in a local way, or with a remote connection, to a malicious DLL with the same name -- and when the product is used, this malicious DLL will be loaded, aka a DLL Hijacking attack. |
|
38 |
CVE-2018-4863 |
254 |
|
Bypass |
2018-04-05 |
2018-05-18 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
Sophos Endpoint Protection 10.7 allows local users to bypass an intended tamper protection mechanism by deleting the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Sophos Endpoint Defense\ registry key. |
|
39 |
CVE-2018-3971 |
123 |
|
Mem. Corr. |
2018-10-25 |
2023-02-02 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
An exploitable arbitrary write vulnerability exists in the 0x2222CC IOCTL handler functionality of Sophos HitmanPro.Alert 3.7.6.744. A specially crafted IRP request can cause the driver to write data under controlled by an attacker address, resulting in memory corruption. An attacker can send IRP request to trigger this vulnerability. |
|
40 |
CVE-2018-3970 |
908 |
|
|
2018-10-25 |
2023-02-02 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An exploitable memory disclosure vulnerability exists in the 0x222000 IOCTL handler functionality of Sophos HitmanPro.Alert 3.7.6.744. A specially crafted IRP request can cause the driver to return uninitialized memory, resulting in kernel memory disclosure. An attacker can send an IRP request to trigger this vulnerability. |
|
41 |
CVE-2017-17023 |
345 |
|
|
2019-04-09 |
2019-10-03 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
The Sophos UTM VPN endpoint interacts with client software provided by NPC Engineering (www.ncp-e.com). The affected client software, "Sophos IPSec Client" 11.04 is a rebranded version of NCP "Secure Entry Client" 10.11 r32792. A vulnerability in the software update feature of the VPN client allows a man-in-the-middle (MITM) or man-on-the-side (MOTS) attacker to execute arbitrary, malicious software on a target user's computer. This is related to SIC_V11.04-64.exe (Sophos), NCP_EntryCl_Windows_x86_1004_31799.exe (NCP), and ncpmon.exe (both Sophos and NCP). The vulnerability exists because: (1) the VPN client requests update metadata over an insecure HTTP connection; and (2) the client software does not check if the software update is signed before running it. |
|
42 |
CVE-2017-9523 |
79 |
|
XSS |
2017-06-09 |
2017-06-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The Sophos Web Appliance before 4.3.2 has XSS in the FTP redirect page, aka NSWA-1342. |
|
43 |
CVE-2017-7441 |
119 |
|
Overflow +Info |
2017-09-13 |
2017-09-26 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
In Sophos SurfRight HitmanPro before 3.7.20 Build 286 (included in the HitmanPro.Alert solution and Sophos Clean), a crafted IOCTL with code 0x22E1C0 might lead to kernel data leaks. Because the leak occurs at the driver level, an attacker can use this vulnerability to leak some critical information about the machine such as nt!ExpPoolQuotaCookie. |
|
44 |
CVE-2017-6412 |
384 |
|
|
2017-03-30 |
2017-04-15 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
In Sophos Web Appliance (SWA) before 4.3.1.2, Session Fixation could occur, aka NSWA-1310. |
|
45 |
CVE-2017-6184 |
77 |
|
|
2017-03-30 |
2017-04-04 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
In Sophos Web Appliance (SWA) before 4.3.1.2, a section of the machine's interface responsible for generating reports was vulnerable to remote command injection via the token parameter, aka NSWA-1303. |
|
46 |
CVE-2017-6183 |
77 |
|
|
2017-03-30 |
2017-04-04 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
In Sophos Web Appliance (SWA) before 4.3.1.2, a section of the machine's configuration utilities for adding (and detecting) Active Directory servers was vulnerable to remote command injection, aka NSWA-1314. |
|
47 |
CVE-2017-6182 |
78 |
|
|
2017-03-30 |
2019-10-03 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
In Sophos Web Appliance (SWA) before 4.3.1.2, a section of the machine's interface responsible for generating reports was vulnerable to remote command injection via functions, aka NSWA-1304. |
|
48 |
CVE-2017-6008 |
119 |
|
Overflow |
2017-09-13 |
2017-10-29 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
A kernel pool overflow in the driver hitmanpro37.sys in Sophos SurfRight HitmanPro before 3.7.20 Build 286 (included in the HitmanPro.Alert solution and Sophos Clean) allows local users to escalate privileges via a malformed IOCTL call. |
|
49 |
CVE-2017-6007 |
119 |
|
Overflow |
2017-09-13 |
2017-09-21 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
A kernel pool overflow in the driver hitmanpro37.sys in Sophos SurfRight HitmanPro before 3.7.20 Build 286 (included in the HitmanPro.Alert solution and Sophos Clean) allows local users to crash the OS via a malformed IOCTL call. |
|
50 |
CVE-2016-9554 |
77 |
|
Exec Code |
2017-01-28 |
2017-03-13 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
The Sophos Web Appliance Remote / Secure Web Gateway server (version 4.2.1.3) is vulnerable to a Remote Command Injection vulnerability in its web administrative interface. These vulnerabilities occur in MgrDiagnosticTools.php (/controllers/MgrDiagnosticTools.php), in the component responsible for performing diagnostic tests with the UNIX wget utility. The application doesn't properly escape the information passed in the 'url' variable before calling the executeCommand class function ($this->dtObj->executeCommand). This function calls exec() with unsanitized user input allowing for remote command injection. The page that contains the vulnerabilities, /controllers/MgrDiagnosticTools.php, is accessed by a built-in command answered by the administrative interface. The command that calls to that vulnerable page (passed in the 'section' parameter) is: 'configuration'. Exploitation of this vulnerability yields shell access to the remote machine under the 'spiderman' user account. |
