CVE-2016-9553

HIGH

Sophos Web Appliance 4.2.1.3 - Authenticated Remote Command Injection via MgrReport.php

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-9553. PoCs published by xort.

AI-analyzed exploit summary This Metasploit module exploits a remote command injection vulnerability in Sophos Web Appliance <= v4.2.1.3 via the 'blockip' or 'unblockip' parameters in MgrReport.php. It supports both direct command execution and payload delivery via an encoded ELF binary.

Description

The Sophos Web Appliance (version 4.2.1.3) is vulnerable to two Remote Command Injection vulnerabilities affecting its web administrative interface. These vulnerabilities occur in the MgrReport.php (/controllers/MgrReport.php) component responsible for blocking and unblocking IP addresses from accessing the device. The device doesn't properly escape the information passed in the variables 'unblockip' and 'blockip' before calling the shell_exec() function which allows for system commands to be injected into the device. The code erroneously suggests that the information handled is protected by utilizing the variable name 'escapedips' - however this was not the case. The Sophos ID is NSWA-1258.

Exploits (1)

exploitdb WORKING POC VERIFIED

by xort · rubywebappsphp

https://www.exploit-db.com/exploits/41413

View Code ZIP pw:eip

This Metasploit module exploits a remote command injection vulnerability in Sophos Web Appliance <= v4.2.1.3 via the 'blockip' or 'unblockip' parameters in MgrReport.php. It supports both direct command execution and payload delivery via an encoded ELF binary.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Sophos Web Appliance <= v4.2.1.3

Auth required

Prerequisites: Valid credentials for the Sophos Web Appliance · Network access to the target device

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Release Notes x_refsource_confirm

http://swa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.1.html

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/95853

Release Notes x_refsource_confirm

https://community.sophos.com/products/web-appliance/b/blog/posts/release-of-swa-version-4-3-1

Exploit x_refsource_misc

http://pastebin.com/DUYuN0U5

Scores

CVSS v3 7.2

EPSS 0.1931

EPSS Percentile 97.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-77

Status published

Products (1)

sophos/web_appliance 4.2.1.3

Published Jan 28, 2017

Tracked Since Feb 18, 2026