Pre-Auth SQL Injection Vulnerability in Sophos Cyberoam OS (CVE-2020-29574)

ISGroup Cybersecurity

A critical pre-authentication SQL injection vulnerability has been discovered and patched in Sophos Cyberoam OS (CROS), which allows remote attackers to execute SQL commands if the administrative interface is exposed to the WAN. This vulnerability has been added to CISA’s KEV (Known Exploited Vulnerabilities) catalog, indicating that it is being actively exploited. Sophos has released a hotfix for affected devices, but organizations using Cyberoam firewalls must ensure their systems are updated or migrate to Sophos XG Firewall, as Cyberoam devices have been discontinued since 2019.

ProductCyberoam
Date2025-02-11 09:35:55
Information
  • Fix Available
  • Active Exploitation

Technical Summary

The vulnerability resides in the web administrative interface of Cyberoam OS (CROS) and can be exploited remotely via SQL injection. If the administrative HTTPS service is exposed to the internet, an attacker can manipulate SQL queries to add unauthorized user accounts to the system. The flaw allows an unauthenticated attacker to gain control of the affected firewall, with potential implications for network compromise.

Sophos has provided automatic over-the-air (OTA) patches for supported versions of CROS. However, organizations still using Cyberoam devices should manually verify that their systems are updated by running the command cyberoam diagnostics show version-info.

Recommendations

  • Apply the patch immediately: Ensure that Cyberoam OS is updated to the latest version by checking for the corrective patch via the diagnostic command.
  • Disable WAN exposure: Administrators should disable WAN access to the web admin interface and SSH to mitigate unauthorized access.
  • Check for unauthorized users: Security teams should review user accounts on Cyberoam devices to identify signs of compromise.

[Callforaction-THREAT-Footer]