CVE-2020-12271
CVE-2020-12271 is a critical-severity vulnerability in Sophos Sfos with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-89.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 7.5
- EPSS exploit prediction: 42% (99th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-11-03)
- EU (EUVD) id: EUVD-2020-4584
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-11-03)
- Weakness: CWE-89
- Affected product: Sophos Sfos
- Published:
- Last modified:
Description
A SQL injection issue was found in SFOS 17.0, 17.1, 17.5, and 18.0 before 2020-04-25 on Sophos XG Firewall devices, as exploited in the wild in April 2020. This affected devices configured with either the administration (HTTPS) service or the User Portal exposed on the WAN zone. A successful attack may have caused remote code execution that exfiltrated usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access (but not external Active Directory or LDAP passwords)
CVE-2020-12271: Critical SQL Injection in Sophos XG Firewall SFOS (ASnarok)
AI-generated analysis based on the vulnerability data on this page.
Summary
In April 2020, Sophos disclosed a critical SQL injection vulnerability in the XG Firewall operating system (SFOS) that was actively exploited in the wild. Tracked as CVE-2020-12271 and codenamed "ASnarok" by Sophos, the flaw allowed unauthenticated attackers to inject malicious SQL commands through exposed management interfaces, potentially achieving remote code execution and exfiltrating sensitive credential data from the appliance.
Background
Sophos XG Firewall is a next-generation firewall appliance used by enterprises and managed service providers to enforce perimeter security policies, VPN remote access, and web filtering. In late April 2020, Sophos reported that a subset of XG Firewall appliances had been compromised through a zero-day SQL injection flaw. The attack primarily targeted devices that had either the administration (HTTPS) service or the User Portal accessible from the WAN zone. Sophos pushed an emergency hotfix and notified affected customers directly.
Root Cause
The vulnerability is classified under CWE-89: SQL Injection. Insufficient input sanitization in a web-facing component of the XG Firewall management interface allowed attacker-supplied data to be concatenated directly into SQL queries. By manipulating specific HTTP parameters sent to the exposed portal pages, an attacker could alter query logic, bypass authentication checks, and execute arbitrary SQL commands against the device's internal database. The flaw did not require prior authentication, making it trivially exploitable over the internet.
Impact
The National Vulnerability Database assigns this flaw a CVSS v3.1 score of 9.8 (Critical) with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The metrics reflect that the attack is network-exploitable, requires no privileges or user interaction, and can result in high impacts to confidentiality, integrity, and availability.
Sophos confirmed that successful exploitation could lead to remote code execution on the firewall appliance. In observed incidents, attackers exfiltrated usernames and hashed passwords for local device administrators, portal administrators, and user accounts configured for remote access. Notably, the compromise did not extend to externally managed Active Directory or LDAP passwords.
Exploitation Walkthrough
Ethics Notice: The following description is provided for defensive awareness only. No weaponized exploit code is included.
- Reconnaissance: The attacker scans for internet-facing Sophos XG Firewalls with either the admin HTTPS service or the User Portal enabled on the WAN interface.
- Injection Point Identification: The attacker sends crafted HTTP requests to portal endpoints that interact with the backend SQL database, supplying malicious payloads in parameters expected to contain benign identifiers or credentials.
- Authentication Bypass / Query Manipulation: Because the application concatenates user input into SQL statements without proper parameterization, the injected SQL alters query semantics. This can bypass authentication or cause the database to return data outside the intended query scope.
- Post-Exploitation: With database access, the attacker may read credential tables and, depending on the environment, achieve further code execution through database-specific primitives or by leveraging the underlying operating system.
Affected and Patched Versions
The following SFOS versions were confirmed vulnerable:
- SFOS 17.0
- SFOS 17.1
- SFOS 17.5
- SFOS 18.0 (before the 2020-04-25 hotfix)
Sophos released an automatic hotfix on 25 April 2020 for XG Firewalls with the auto-update feature enabled. Devices without auto-update required manual intervention.
Remediation
- Apply the Hotfix / Upgrade: Ensure the appliance is running a patched SFOS build released on or after 25 April 2020. If the device was compromised, Sophos recommended a full device reset and reconfiguration rather than relying solely on the patch.
- Reduce WAN Exposure: Do not expose the XG Firewall administration interface or User Portal to untrusted networks. Restrict access to an internal management VLAN or a hardened jump host.
- Network Segmentation: Place management interfaces on isolated segments with strict ingress and egress filtering.
- Credential Rotation: Reset all local admin, portal admin, and VPN user passwords. Review VPN user accounts for unauthorized access or configuration changes.
- Compensating Controls: Deploy a web application firewall (WAF) or reverse proxy in front of management portals to enforce parameterized input validation and rate limiting.
Detection
- Firewall Logs: Monitor for unexpected source IPs accessing
/userportalor the admin HTTPS service from the WAN zone. - Database Integrity Checks: Sophos provided guidance for verifying whether the device had been compromised by checking for specific indicators of tampering.
- Egress Monitoring: Look for anomalous outbound connections from the firewall appliance to unfamiliar external hosts, which may indicate exfiltration or command-and-control activity.
- Authentication Anomalies: Alert on sudden changes to local administrator accounts or the creation of unexpected VPN user profiles.
Assessment
CVE-2020-12271 carries an EPSS score of 0.42164 (approximately the 98.5th percentile), indicating a very high probability of real-world exploitation. It is also listed in CISA's Known Exploited Vulnerabilities catalog, with exploitation confirmed since 2021-11-03. The combination of a critical CVSS score, zero-authentication requirements, and observed in-the-wild exploitation makes this a textbook example of why edge security appliances must never expose management interfaces to the public internet. Two key lessons emerge: first, administrative portals should always reside on out-of-band networks; second, automatic security updates on critical infrastructure can substantially shrink the window of opportunity for attackers.
References
Frequently asked questions
- What is CVE-2020-12271?
- A SQL injection issue was found in SFOS 17.0, 17.1, 17.5, and 18.0 before 2020-04-25 on Sophos XG Firewall devices, as exploited in the wild in April 2020. This affected devices configured with either the administration (HTTPS) service or the User Portal exposed on the WAN zone. A successful attack may have caused remote code execution that exfiltrated usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access (but not external Active Directory or LDAP passwords)
- How severe is CVE-2020-12271?
- CVE-2020-12271 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2020-12271 being actively exploited?
- Yes. CVE-2020-12271 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2020-12271?
- CVE-2020-12271 primarily affects Sophos Sfos. In total, 4 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2020-12271?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2020-12271 have an EU (EUVD) identifier?
- Yes. CVE-2020-12271 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2020-4584. It is also flagged as exploited in the EUVD (since 2021-11-03).
- When was CVE-2020-12271 published?
- CVE-2020-12271 was published on 2020-04-27 and last updated on 2026-06-17.
References
- https://community.sophos.com/kb/en-us/135412
- https://cwe.mitre.org/data/definitions/89.html
- https://news.sophos.com/en-us/2020/04/26/asnarok/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-12271
Affected products (4)
- cpe:2.3:o:sophos:sfos:17.0:*:*:*:*:*:*:*
- cpe:2.3:o:sophos:sfos:17.1:*:*:*:*:*:*:*
- cpe:2.3:o:sophos:sfos:17.5:*:*:*:*:*:*:*
- cpe:2.3:o:sophos:sfos:18.0:*:*:*:*:*:*:*
More vulnerabilities in Sophos Sfos
- CVE-2022-1040 — Critical (CVSS 9.8): An authentication bypass vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in…
- CVE-2020-11503 — Critical (CVSS 9.8): A heap-based buffer overflow in the awarrensmtp component of Sophos XG Firewall v17.5 MR11 and older potentially allows…
- CVE-2018-16117 — High (CVSS 8.8): A shell escape vulnerability in /webconsole/Controller in Admin Portal of Sophos XG firewall 17.0.8 MR-8 allow remote…
- CVE-2018-16116 — High (CVSS 8.8): SQL injection vulnerability in AccountStatus.jsp in Admin Portal of Sophos XG firewall 17.0.8 MR-8 allow remote…
- CVE-2018-16118 — High (CVSS 8.1): A shell escape vulnerability in /webconsole/APIController in the API Configuration component of Sophos XG firewall…
- CVE-2017-18014 — Medium (CVSS 6.1): An NC-25986 issue was discovered in the Logging subsystem of Sophos XG Firewall with SFOS before 17.0.3 MR3. An…
All CVEs affecting Sophos Sfos →
Other CWE-89 (SQL Injection) vulnerabilities
- CVE-2026-54350 — Critical (CVSS 10.0): Budibase is an open-source low-code platform. Prior to 3.39.12, an unauthenticated visitor of any published Budibase…
- CVE-2026-8054 — Critical (CVSS 10.0): Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the Publish Audit API endpoints…
- CVE-2026-42287 — Critical (CVSS 10.0): Emlog is an open source website building system. Prior to version 2.6.11, direct SQL injection in article creation and…
- CVE-2026-3325 — Critical (CVSS 10.0): SQL injection (SQLi) in MegaCMS v12.0.0, specifically in the “id_territorio” parameter of the…
- CVE-2025-10878 — Critical (CVSS 10.0): A SQL injection vulnerability exists in the login functionality of Fikir Odalari AdminPando 1.0.1 before 2026-01-26.…
- CVE-2025-57792 — Critical (CVSS 10.0): Explorance Blue versions prior to 8.14.9 contain a SQL injection vulnerability caused by insufficient validation of…