Governance & Risk Management , Patch Management

Researcher Warns of Threat Still Posed by Sophos SG UTM Flaw

11 Months After Patch Issued, Many Tools May Remain Unpatched
Researcher Warns of Threat Still Posed by Sophos SG UTM Flaw
The Sophos SG UTM flaw poses a threat if unpatched. (Source: Sophos)

A little-explored critical vulnerability in the WebAdmin of Sophos’ SG UTM - software used to configure the firewall and threat detection settings of Sophos’s Unified Threat Management hardware tool - remains a threat where unpatched some 11 months after a patch was issued, a researcher says.

See Also: Live Webinar | How To Meet Your Zero Trust Goals Through Advanced Endpoint Strategies

Tracked as CVE-2020-25223, the flaw has a 9.8 - or extremely critical - rating. If exploited, it could enable remote code execution, says Justin Kennedy, a security researcher at information security consultancy Atredis Partners.

Sophos patched the flaw last September in versions v9.705 MR5, v9.607 MR7 and v9.511 MR11.

A Sophos spokesperson emphasized that the company notified customers of the urgency of patching the flaw last year and said the firm is "not aware of any attacks leveraging it."

But Kennedy found Sophos UTM device users who still had not applied the available fixes and when asked by ISMG about the likelihood of threat actors exploiting it in future, he replied, "Absolutely. It's hard to get more impactful than unauthenticated RCE as the root user."

Exploiting an RCE flaw could give an attacker the ability to modify computer files or access banking information, or it could be leveraged for further privilege escalation to get additional capabilities on a network, Kennedy says.

Responding to Kennedy’s research findings, Sophos tells Information Security Media Group: "The additional detail in the blog raises awareness about how important it is for organizations to constantly update and patch their software. The emphasis we want to underscore is that updating and patching is a critical security best practice that organizations of all sizes need to build into their ongoing maintenance routines. Users should also ensure their WebAdmin is not exposed to WAN, and deploy all maintenance releases."


Kennedy began his investigation of the root cause behind the exploitation of the RCE vulnerability by comparing the patched and unpatched versions of the SG UTM software. He found that an attacker could exploit the flaw by sending a single HTTP request to a WebAdmin interface of SG UTM exposed to the internet.

Kennedy found that an unnamed author on Seebug has published the "Sophos UTM firmware decompiled Perl source code." "The gist of the write-up is that the author found that the [.]plx files are Perl files that have been compiled using ActiveState's Perl Dev Kit and that you can access the original source by running the [.]plx file in a debugger, setting a break point, and recovering the script from memory. I went through this process and it worked surprisingly well."

About the Author

Mihir Bagwe

Mihir Bagwe

Senior Correspondent, Global News Desk

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.