CISA has added a critical vulnerability tracked as CVE-2023-1671 in Sophos Web Appliance that has been patched by the company in April 2023. The vulnerability is a pre-auth command injection flaw in the warn-proceed handler of Sophos Web Appliance that allows attackers to execute arbitrary code.
The vulnerability was disclosed in early April by an external security researcher through the Sophos bug bounty program . It affected all versions of the appliances prior to version 22.214.171.124.
Sophos has pushed out the update with the fix to all Sophos Web Appliance customers who haven’t switched off the “automatic update” setting (which is on by default). Sophos also advised customers to keep the device behind a firewall, i.e., to make sure it’s not accessible via the public internet.
It also made sure to stress that Sophos Web Appliance would be reaching the end of life on July 20, 2023, and would then stop receiving security or software updates. They urged organizations to switch to using Sophos Firewall.
A public PoC exploit for CVE-2023-1671 has been available since late April, and so has a script that could be used by defenders to scan for vulnerable devices on their network. It took many months for attackers to try and leverage the flaw, most likely because the default automatic updating setting considerably reduced the potential pool of targets.
Aa per CISA, it has evidence of active exploitation, though it didn’t offer more information than that. With vulnerability patching at organizations being, well, patchy, attackers still regularly exploit older vulnerabilities in their attacks.