CVE-2020-29574

What is CyberoamOS?

CyberoamOS (CROS) is the operating system for Cyberoam's UTM (Unified Threat Management) network security appliances, which provided firewall, VPN, web filtering, and intrusion prevention functionality for enterprise networks. Sophos acquired Cyberoam in 2014 and eventually reached end-of-life for the CyberoamOS product line, transitioning customers to Sophos's own XG Firewall and Sophos Firewall platforms. EOL CyberoamOS devices no longer receive security patches. The WebAdmin interface is the primary management portal for CyberoamOS devices, accessible over HTTPS to configure all security appliance functions.

Overview

CVE-2020-29574 is a SQL injection vulnerability (CWE-89) in CyberoamOS's WebAdmin interface that allows an unauthenticated remote attacker to execute arbitrary SQL statements against the appliance's backend database. The vulnerability is in the WebAdmin portal's request handling — user-supplied parameters are incorporated into SQL queries without proper sanitization, enabling SQL injection without authentication. CyberoamOS is end-of-life and will not receive a patch; CISA's required action is to discontinue use of the product. CISA added it to KEV in February 2025, over four years after the CVE was published, indicating persistent exploitation of remaining deployed CyberoamOS instances.

Affected Versions

Technical Details

• Root cause: SQL injection (CWE-89) in CyberoamOS WebAdmin — HTTP request parameters passed to WebAdmin's server-side code are incorporated into SQL queries using string concatenation rather than parameterized queries; an unauthenticated attacker crafts SQL syntax in HTTP parameters (e.g., ' OR 1=1--, UNION SELECT, or stacked queries) that is executed by the database backend
• Database impact: CyberoamOS's backend database stores all device configuration including: admin credentials, VPN user accounts, firewall rules, network configuration, web filtering policies, and log data; SQL injection with write access (INSERT/UPDATE/DELETE) allows modifying all of these; SQL injection with stacked query support may allow OS command execution via database-provided functions (e.g., xp_cmdshell in SQL Server)
• No authentication required: The SQL injection is exploitable without any credentials — pre-authentication SQL injection in security appliance management interfaces is among the most severe vulnerability classes as it bypasses all authentication and directly accesses the configuration database
• EOL exploitation persistence: CyberoamOS devices that remain in production after EOL lack any remediation path other than replacement; the four-year gap between CVE publication (December 2020) and CISA KEV addition (February 2025) indicates that CyberoamOS devices in government and enterprise environments were actively exploited years after the vulnerability's public disclosure
• Network security appliance context: A compromised UTM appliance provides an attacker with full network security policy control, the ability to disable firewall rules, access to VPN credentials for all users, and a foothold at the network perimeter

Discovery

Disclosed in December 2020. Sophos confirmed the vulnerability in CyberoamOS but declined to patch the EOL product. CISA's February 2025 KEV addition with a required action of "discontinue use" reflects ongoing exploitation of CyberoamOS appliances in production environments that should have been replaced years prior.

Exploitation Context

SQL injection vulnerabilities in network security appliance management interfaces are highly valued attack vectors — they provide direct access to all device configuration and credentials without requiring any prior authentication. CyberoamOS appliances still in production in 2025 represent organizations that have not followed EOL guidance, leaving critical network security infrastructure permanently vulnerable. The February 2025 KEV addition indicates active exploitation campaigns specifically targeting remaining CyberoamOS deployments.

Remediation

1. Immediately replace CyberoamOS appliances — no patch exists; CISA's required action is product discontinuation
2. Migrate to a supported network security platform: Sophos Firewall (the CyberoamOS successor), or another supported UTM/NGFW vendor
3. If immediate replacement is not possible: completely isolate CyberoamOS WebAdmin from all network access — block all inbound connections to the management interface until replacement is completed
4. Before decommissioning: export all configuration data needed for migration; inventory all VPN users and credentials stored in CyberoamOS — assume these credentials are compromised and rotate them
5. Review network logs for CyberoamOS-related exploitation indicators: unexpected admin logins, configuration changes, or unusual outbound connections from the appliance
6. Do not accept Sophos Extended Support for EOL CyberoamOS as a substitute for replacement — vulnerability-class issues like SQL injection cannot be patched at the support level