CVE-2020-15069 is a critical vulnerability affecting Sophos XG Firewall v17.x, which has been actively exploited in real-world environments. The flaw resides in the user portal functionality exposed on the WAN, making devices accessible from the Internet particularly vulnerable. Given the widespread use of Sophos firewalls in corporate and government networks, it is crucial to implement immediate mitigation measures to prevent unauthorized access and potential compromise.
| Product | Sophos |
| Date | 2025-02-11 16:38:52 |
| Information |
|
Technical Summary
This vulnerability is due to a previously unknown buffer overflow in the HTTP/S bookmark feature of the firewall’s user portal. Attackers can remotely exploit this flaw to execute arbitrary code on affected systems, with the potential for full device compromise. Sophos has released a hotfix that removes the vulnerable functionality on all XG firewalls running SFOS v17.x, while SFOS v18 is not affected. Organizations that have not yet applied the fix remain at risk of exploitation.
Recommendations
- Update immediately: Apply the hotfix (HF062020.1) for SFOS v17.x or upgrade to SFOS v18.
- Disable the user portal on the WAN: Restrict external access to the firewall’s user portal unless strictly necessary.
- Reset administrator and user credentials: Change passwords for all administrative and local user accounts.
- Enable automatic updates: Ensure that hotfixes are installed automatically to prevent potential exploitation.
- Monitor for indicators of compromise: Check firewall logs for unauthorized access attempts and anomalous activity.
[Callforaction-THREAT-Footer]
