CVE-2020-25223

What is Sophos SG UTM?

Sophos SG UTM (Unified Threat Management) is a network security appliance that combines firewall, IPS, VPN, web filtering, email security, and application control in a single platform. The SG UTM series is widely deployed in enterprise and mid-market organizations as the primary network security gateway. WebAdmin is SG UTM's web-based management interface, typically running on port 4444, used for configuring all UTM functions, monitoring network activity, and managing policies. As a network security gateway, the SG UTM often has interfaces in both trusted internal networks and the internet-facing perimeter, and may have its WebAdmin interface accessible from specific management networks or even the internet in some configurations. OS command injection in the WebAdmin interface allows an attacker to execute arbitrary commands on the underlying Linux-based UTM appliance — effectively compromising the organization's network security gateway.

Overview

CVE-2020-25223 is an OS command injection vulnerability (CWE-78) in the WebAdmin interface of Sophos SG UTM that allows a remote, unauthenticated attacker to execute arbitrary OS commands on the UTM appliance. Sophos patched it in September 2020. CISA added it to KEV in March 2022, reflecting active exploitation of unpatched SG UTM appliances. Compromising a UTM appliance provides an attacker with access to all network traffic flowing through the device, the ability to modify firewall and routing rules, VPN configuration, and a privileged position on the network perimeter.

Affected Versions

Technical Details

• Root cause: OS command injection (CWE-78) in the Sophos SG UTM WebAdmin interface — the WebAdmin web application processes input parameters from HTTP requests and passes them to underlying OS commands without sufficient sanitization; by injecting shell metacharacters into specific WebAdmin request parameters, an unauthenticated attacker can execute arbitrary commands as a privileged user on the UTM appliance's Linux operating system
• Pre-authentication RCE: CVSS PR:N (no privileges required) indicates the vulnerability is reachable before any login — an attacker sends a crafted HTTP request to the WebAdmin endpoint and achieves command execution without providing valid credentials; this is the most severe exposure model for management interface vulnerabilities
• UTM appliance compromise impact: Code execution on a UTM appliance provides: access to all network traffic traversing the device (enabling packet capture and credential theft from unencrypted protocols), the ability to disable or modify firewall rules to allow additional attacker access, VPN private key theft (enabling decryption of VPN traffic or impersonation), modification of DNS and routing to redirect traffic, and a persistent foothold on the network perimeter
• WebAdmin port 4444 exposure: The SG UTM WebAdmin runs on port 4444 (HTTPS); in some deployments, this port is accessible from the internet for remote management, directly exposing the vulnerability; even in deployments where WebAdmin is internal-only, an attacker with any internal foothold can exploit this
• Sophos 2020 vulnerability pattern: Sophos experienced multiple significant vulnerabilities in 2020, including the XG Firewall SQL injection/RCE (CVE-2020-12271, exploited as a zero-day) — threat actors actively target Sophos products as high-value network security assets

Discovery

Identified by security researchers and reported to Sophos. Sophos released a security advisory and patches in September 2020. CISA's March 2022 KEV addition (18 months after the patch) reflects sustained exploitation of organizations that had not applied the update.

Exploitation Context

Network security appliances are prime targets for sophisticated threat actors because they provide a trusted network position, can intercept traffic, and are often poorly monitored compared to endpoint systems. SG UTM appliances deployed as internet gateways process all outbound and inbound traffic, making them valuable for both surveillance and as pivot points into protected network segments. Exploitation of CVE-2020-25223 gives an attacker the same capabilities as a network-level man-in-the-middle position plus full administrative control over the organization's security policy enforcement point.

Remediation

1. Apply Sophos SG UTM firmware update 9.706 or later (or the specific hotfix referenced in the Sophos security advisory) — the primary fix
2. Restrict WebAdmin access to dedicated management hosts only — block port 4444 access from all but authorized administrator IPs via ACL or firewall rule; never expose WebAdmin to the internet
3. If immediate patching is not possible, use the Sophos backup UTM configuration to restore from a known-good state after patching, in case the appliance was compromised before patching
4. Review UTM logs for anomalous WebAdmin access patterns, unexpected configuration changes, firewall rule modifications, or new VPN configurations that may indicate exploitation
5. Audit network traffic logs for evidence of traffic interception or unusual routing changes that occurred before or during the exploitation window
6. Implement a dedicated management VLAN with strict access controls for all network security appliances — WebAdmin should never be reachable from general employee networks or internet-facing interfaces