CVE-2013-4984

Sophos Web Appliance <3.7.9.1, <3.8-3.8.1.1 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2013-4984. PoCs published by Metasploit, Core Security, Francisco Falcon, juan vazquez, including Metasploit module exploits/linux/local/sophos_wpa_clear_keys.

AI-analyzed exploit summary This Metasploit module exploits a command injection vulnerability in Sophos Web Protection Appliance's clear_keys.pl script to escalate privileges from the 'spiderman' user to root. It drops and executes a payload via the vulnerable script.

Description

The close_connections function in /opt/cma/bin/clear_keys.pl in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows local users to gain privileges via shell metacharacters in the second argument.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocallinux
https://www.exploit-db.com/exploits/28332

This Metasploit module exploits a command injection vulnerability in Sophos Web Protection Appliance's clear_keys.pl script to escalate privileges from the 'spiderman' user to root. It drops and executes a payload via the vulnerable script.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Sophos Web Protection Appliance 3.7.0
Auth required
Prerequisites: Access to the 'spiderman' user account · Presence of the vulnerable clear_keys.pl script
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Core Security · textwebappslinux
https://www.exploit-db.com/exploits/28175

The exploit demonstrates a pre-authentication OS command injection vulnerability in Sophos Web Protection Appliance. It leverages improper input sanitization in the '/opt/ws/bin/sblistpack' Perl script, allowing unauthenticated remote attackers to execute arbitrary commands via a crafted 'domain' POST parameter.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Sophos Web Protection Appliance v3.7.9 and earlier, v3.8.0, v3.8.1
No auth needed
Prerequisites: Network access to the target appliance's web interface
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Francisco Falcon, juan vazquez · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/sophos_wpa_clear_keys.rb

This Metasploit module exploits a command injection vulnerability in Sophos Web Protection Appliance's clear_keys.pl script to escalate privileges from the 'spiderman' user to 'root'. It drops and executes a payload via sudo abuse.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Trivial
Reliability
Reliable
Target: Sophos Web Protection Appliance 3.7.0
Auth required
Prerequisites: Access to the 'spiderman' user account · Presence of the vulnerable clear_keys.pl script
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Technical Description, Vendor Advisory x_refsource_misc
http://www.coresecurity.com/advisories/sophos-web-protection-appliance-multiple-vulnerabilities

Scores

EPSS 0.0813
EPSS Percentile 94.1%

Details

CWE
CWE-264 CWE-78
Status published
Products (50)
sophos/web_appliance 3.0.0
sophos/web_appliance 3.0.1
sophos/web_appliance 3.0.1.1
sophos/web_appliance 3.0.2
sophos/web_appliance 3.0.3
sophos/web_appliance 3.0.4
sophos/web_appliance 3.0.5
sophos/web_appliance 3.0.5.1
sophos/web_appliance 3.1.0
sophos/web_appliance 3.1.0.1
... and 40 more
Published Sep 10, 2013
Tracked Since Feb 18, 2026