Show filters
2 Total Results
Displaying 1-2 of 2
Sort by:
Attacker Value
Very High
CVE-2020-25223
Last updated September 23, 2020
A remote code execution vulnerability in the WebAdmin of SG UTM was recently discovered and responsibly disclosed to Sophos. It was reported via the Sophos bug bounty program by an external security researcher. The vulnerability has been fixed.
Sophos would like to thank Łukasz Rupala for responsibly disclosing this issue to Sophos.
The remediation prevented users from remotely executing arbitrary code. There was no evidence that the vulnerability was exploited and to our knowledge no customers are impacted.
Fix included in SG UTM v9.705 MR5, v9.607 MR7, and v9.511 MR11 on September 17, 2020
Users of older versions of SG UTM are required to upgrade to receive this fix
Workaround
Customers can protect themselves by ensuring their WebAdmin is not exposed to WAN.
This can be achieved by keeping Internal (LAN) (Network) or another internal-only network definition as the sole entry in Management→WebAdmin Settings→WebAdmin Access Configuration→Allowed Networks.
3
Attacker Value
Unknown
CVE-2020-25223
Disclosure Date: September 25, 2020 (last updated October 18, 2023)
A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM before v9.705 MR5, v9.607 MR7, and v9.511 MR11
1