Sophos Web Appliance vulnerability exploited in the wild (CVE-2023-1671)

CISA has added three vulnerabilities to its Known Exploited Vulnerabilities catalog, among them a critical vulnerability (CVE-2023-1671) in Sophos Web Appliance that has been patched by the company in April 2023.

About CVE-2023-1671

CVE-2023-1671 is a pre-auth command injection vulnerability in the warn-proceed handler of Sophos Web Appliance that allows attackers to execute arbitrary code.

Sophos Web Appliance is a web gateway appliance that functions as a web proxy and scans potentially harmful content for numerous forms of malware.

The vulnerability was disclosed in early April by an external security researcher through the Sophos bug bounty program. It affected all versions of the appliances prior to version

At the time, the company pushed out the update with the fix to all Sophos Web Appliance customers who haven’t switched off the “automatic update” setting (which is on by default). Sophos also advised customers to keep the device behind a firewall, i.e., to make sure it’s not accessible via the public internet.

The company also made sure to stress that Sophos Web Appliance would be reaching end of life on July 20, 2023, and would then stop receiving security or software updates. They urged organizations to switch to using Sophos Firewall.

CVE-2023-1671 exploited

A public PoC exploit for CVE-2023-1671 has been available since late April, and so has a script that could be used by defenders to scan for vulnerable devices on their network.

Still, it apparently took many months for attackers to try and leverage the flaw, most likely because the default automatic updating setting considerably reduced the potential pool of targets.

But now the Cybersecurity and Infrastructure Security Agency says it has evidence of active exploitation, though (as per usual) it didn’t offer more information than that.

Attackers often leverage older vulnerabilities

With vulnerability patching at organizations being, well, patchy, attackers still regularly exploit older vulnerabilities in their attacks.

In fact, one of the three vulnerabilities added by CISA to its KEV catalogue on Thursday is CVE-2020-2551, an unspecified bug in the Oracle WebLogic Server product of Oracle Fusion Middleware that has been reported by a researcher and patched way back in 2020.

Don't miss