Rapid7
Back to Blog
Threat Research

Rapid7 Analysis: CVE-2020-12271: Sophos XG Firewall Pre-Auth SQL Injection Vulnerability

Rapid7 Labs
Rapid7 Labs
|Last updated on Jun 16, 2026|2 min read

Description

On April 25, 2020, Sophos published a blog post on, CVE-2020-12271, a pre-authentication SQL injection zero-day vulnerability that leads to remote code execution in Sophos XG Firewalls. Systems configured with either the administration interface (HTTPS admin service) or the user portal exposed on the WAN zone are affected. CVE-2020-12271 carries a CVSSv3 base score of 10.

Code White Security has released a detailed article on the reverse engineering efforts that went into analyzing the attack. Rapid7 researchers have observed many vulnerable instances of XG Firewall that are exposed to the public internet, in the following report, despite the patch being available; we recommend organizations take immediate action in light of previous exploitation.

Affected products

The following major versions of Sophos XG Firewall are affected:

  • 17.0 17.1 17.5 18.0

    The following versions of Sophos XG Firewall have the hotfix applied:
  • Sophos XG Firewall 17.0.10.240 17.1.4.254 17.5.11.661 18.0.0.379

Rapid7 analysis

On April 22, 2020 a suspicious field value in an XG Firewall management interface was reported to Sophos. This led to the discovery of a campaign leveraging CVE-2020-12271, a new zero-day vulnerability. The campaign used the SQL injection to run a wget command to download malware that would install itself and perform a number of functions including: connect back to a C2 domain; ensure persistence on reboot; and exfiltrate usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access. CVE-2020-12271 is confirmed to be exploited in the wild and poses an ongoing threat to organizations. This SQL injection vulnerability has been found in customized malware used to compromise physical and virtual XG devices. The vulnerable code exists in all supported versions of XG Firewall—since the hotfix was also made available to unsupported SFOS v16 and v16.5 devices, the vulnerability was introduced as early as SFOS v16.

Guidance

Sophos XG Firewall customers who have have disabled “Allow automatic installation of hotfixes”, please reference the following KBA for instructions on how to apply the required hotfix.

References

  • https://www.sophos.com/en-us.aspx
  • https://support.sophos.com/support/s/article/KB-000039388?language=en_US
  • https://attackerkb.com/topics/CkJJPr77qk/cve-2020-12271-sophos-xg-firewall-pre-auth-sql-injection-vulnerability
  • https://community.sophos.com/kb/en-us/135415
  • https://codewhitesec.blogspot.com/2020/07/sophos-xg-tale-of-unfortunate-re.html
LinkedInFacebookXBluesky

Article Tags

Rapid7 Labs
Rapid7 Labs
Author Posts