What is Sophos Web Appliance?
Sophos Web Appliance (SWA, formerly Astaro Web Gateway) is a hardware and virtual proxy appliance that provides web filtering, malware scanning, and URL categorization for organizations — intercepting and inspecting all HTTP/HTTPS traffic from users to the internet. Organizations deploy it as an inline or explicit proxy to enforce acceptable use policies and block malicious content. The appliance's administrative web interface and end-user facing "warn-proceed" page (a web page that warns users when they attempt to visit restricted sites) are both accessible over the network, with the warn-proceed handler being the vulnerable component in CVE-2023-1671. Sophos discontinued the Web Appliance on July 20, 2023, recommending migration to Sophos Web Gateway (cloud-based).
Overview
CVE-2023-1671 is a pre-authentication command injection vulnerability in the Sophos Web Appliance's warn-proceed handler — the page displayed to users attempting to access restricted websites. An unauthenticated attacker can send a crafted request to this handler that injects OS commands, which execute on the appliance with elevated privileges. Sophos patched it via automatic hotfix on April 4, 2023; the appliance reached end-of-life July 20, 2023. CISA added it to KEV in November 2023, seven months after the patch, confirming continued exploitation of unpatched or EOL appliances.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Sophos Web Appliance | Versions prior to 4.3.10.4 | 4.3.10.4 (hotfix auto-applied) |
Note: Sophos Web Appliance reached end-of-life on July 20, 2023. Organizations still running it should migrate to a supported alternative.
Technical Details
CWE-77 (Improper Neutralization of Special Elements used in a Command — Command Injection). The Sophos Web Appliance presents a "warn-proceed" page to users when they attempt to visit websites in restricted categories, requiring them to acknowledge the warning before proceeding. This page accepts user-controlled input (e.g., the URL the user is trying to visit) that is passed to backend command processing without sufficient sanitization. An attacker can craft a request to the warn-proceed endpoint containing OS command metacharacters that are executed by the appliance's operating system.
The attack does not require authentication — the warn-proceed page is designed to be accessible to unauthenticated users (it is displayed before login). Command injection via this handler achieves code execution at the privilege level of the web server process on the appliance, typically as root or with very high privileges on the embedded Linux OS.
Discovery
Discovered and reported to Sophos by security researchers. Sophos assigned CVE-2023-1671 and released an automatic hotfix on April 4, 2023 — connected SWA appliances received the patch automatically without administrator action required.
Exploitation Context
The seven-month gap between patch (April 2023) and CISA KEV addition (November 2023) suggests that threat actors identified and exploited appliances that either did not receive the automatic update (offline/isolated appliances, or those where automatic updates were disabled) or remained on end-of-life hardware past July 2023. Web proxy appliances are sensitive targets because:
- They intercept all user web traffic, including authenticated sessions, credentials passed in URLs, and session tokens.
- Compromising an inline proxy allows traffic manipulation and credential harvesting at scale.
- The appliance's network position is often inside the DMZ or on internal networks, making a compromised appliance a useful pivot point.
Remediation
- Confirm the Sophos Web Appliance has received the 4.3.10.4 hotfix — check the appliance version in the admin console. Connected appliances received it automatically, but isolated or offline appliances may not have.
- If still running Sophos Web Appliance past its July 20, 2023 end-of-life date: migrate to a supported alternative (Sophos Web Gateway, or alternative web proxy/CASB solution) — no further security updates are available from Sophos.
- Restrict appliance management interface access to trusted management networks only.
- Review appliance logs for unexpected inbound requests to the warn-proceed handler from external IPs.
- Check the appliance for unauthorized configuration changes, new accounts, or unexpected processes that could indicate prior compromise.
See Also
This CVE is part of a broader pattern of endpoint security products appearing in CISA KEV. See Attacking the Defenders: The Persistent Pattern of AV and EDR Products in CISA KEV for analysis of 18 KEV entries across Microsoft Defender, Trend Micro Apex One, McAfee, and Sophos.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2023-1671 |
| Vendor / Product | Sophos — Web Appliance |
| NVD Published | 2023-04-04 |
| NVD Last Modified | 2025-10-27 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-77 find similar ↗ |
| CISA KEV Added | 2023-11-16 |
| CISA KEV Deadline | 2023-12-07 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2023-04-04 | Sophos publishes SA-20230404-SWA-RCE and releases hotfix for CVE-2023-1671; appliance receives automatic update |
| 2023-07-20 | Sophos Web Appliance reaches end-of-life — no further support or updates after this date |
| 2023-11-16 | CISA adds CVE-2023-1671 to Known Exploited Vulnerabilities catalog — active exploitation confirmed 7 months after patch |
| 2023-12-07 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Sophos Security Advisory SA-20230404-SWA-RCE — CVE-2023-1671 | Vendor Advisory |
| NVD — CVE-2023-1671 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |