Vulnerabilities > Sophos > Critical

DATE CVE VULNERABILITY TITLE RISK
2023-04-04 CVE-2023-1671 Command Injection vulnerability in Sophos web Appliance
A pre-auth command injection vulnerability in the warn-proceed handler of Sophos Web Appliance older than version 4.3.10.4 allows execution of arbitrary code.
network
low complexity
sophos CWE-77
critical
9.8
2022-11-16 CVE-2022-3980 XXE vulnerability in Sophos Mobile
An XML External Entity (XEE) vulnerability allows server-side request forgery (SSRF) and potential code execution in Sophos Mobile managed on-premises between versions 5.0.0 and 9.7.4.
network
low complexity
sophos CWE-611
critical
9.8
2022-09-23 CVE-2022-3236 Code Injection vulnerability in Sophos Firewall 19.0.1
A code injection vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v19.0 MR1 and older.
network
low complexity
sophos CWE-94
critical
9.8
2022-03-25 CVE-2022-1040 Unspecified vulnerability in Sophos Sfos
An authentication bypass vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v18.5 MR3 and older.
network
low complexity
sophos
critical
9.8
2020-09-25 CVE-2020-25223 OS Command Injection vulnerability in Sophos Unified Threat Management
A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM before v9.705 MR5, v9.607 MR7, and v9.511 MR11
network
low complexity
sophos CWE-78
critical
9.8
2020-04-27 CVE-2020-12271 SQL Injection vulnerability in Sophos Sfos
A SQL injection issue was found in SFOS 17.0, 17.1, 17.5, and 18.0 before 2020-04-25 on Sophos XG Firewall devices, as exploited in the wild in April 2020.
network
low complexity
sophos CWE-89
critical
9.8
2019-10-11 CVE-2019-17059 OS Command Injection vulnerability in Sophos Cyberoamos
A shell injection vulnerability on the Sophos Cyberoam firewall appliance with CyberoamOS before 10.6.6 MR-6 allows remote attackers to execute arbitrary commands via the Web Admin and SSL VPN consoles.
network
low complexity
sophos CWE-78
critical
10.0
2019-06-20 CVE-2018-16118 OS Command Injection vulnerability in Sophos Sfos
A shell escape vulnerability in /webconsole/APIController in the API Configuration component of Sophos XG firewall 17.0.8 MR-8 allows remote attackers to execute arbitrary OS commands via shell metachracters in the "X-Forwarded-for" HTTP header.
network
sophos CWE-78
critical
9.3
2019-06-20 CVE-2018-16117 OS Command Injection vulnerability in Sophos Sfos 17.1
A shell escape vulnerability in /webconsole/Controller in Admin Portal of Sophos XG firewall 17.0.8 MR-8 allow remote authenticated attackers to execute arbitrary OS commands via shell metacharacters in the "dbName" POST parameter.
network
low complexity
sophos CWE-78
critical
9.0
2019-04-09 CVE-2017-17023 Insufficient Verification of Data Authenticity vulnerability in multiple products
The Sophos UTM VPN endpoint interacts with client software provided by NPC Engineering (www.ncp-e.com).
network
ncp-e sophos CWE-345
critical
9.3