CVE-2020-25223

CRITICAL KEV NUCLEI

Sophos Unified Threat Management < 9.511 - Remote Code Execution via WebAdmin SID Parameter

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-25223 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 25, 2022. EIP tracks 3 public exploits from researchers including darrenmartyn, maguireja, Justin Kennedy, wvu, including a Metasploit module exploits/linux/http/sophos_utm_webadmin_sid_cmd_injection. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2020-25223, a pre-authentication remote code execution vulnerability in Sophos UTM 9. The exploit sends a reverse shell payload via a crafted HTTP POST request to the target's /var endpoint.

Description

A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM before v9.705 MR5, v9.607 MR7, and v9.511 MR11

Exploits (3)

nomisec WORKING POC 11 stars
by darrenmartyn · remote
https://github.com/darrenmartyn/sophucked

This repository contains a functional exploit for CVE-2020-25223, a pre-authentication remote code execution vulnerability in Sophos UTM 9. The exploit sends a reverse shell payload via a crafted HTTP POST request to the target's /var endpoint.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Sophos UTM 9
No auth needed
Prerequisites: Network access to the target's web interface (port 4443) · Python 2.x environment
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by maguireja · poc
https://github.com/maguireja/CVE-2020-25223

This PoC exploits CVE-2020-25223, a command injection vulnerability in Sophos UTM, to exfiltrate the /etc/shadow file. It sends a crafted POST request to execute arbitrary commands via the SID parameter, then retrieves the shadow file and cleans up.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Sophos UTM (versions affected by CVE-2020-25223)
No auth needed
Prerequisites: Network access to the Sophos UTM management interface (port 4444) · Vulnerable Sophos UTM version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Justin Kennedy, wvu · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/sophos_utm_webadmin_sid_cmd_injection.rb

This Metasploit module exploits a command injection vulnerability in Sophos UTM's WebAdmin interface via the SID parameter, allowing remote code execution as root. The exploit leverages a Perl open function injection to execute arbitrary commands.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Sophos UTM WebAdmin
No auth needed
Prerequisites: Network access to Sophos UTM WebAdmin interface (port 4444/SSL)
devstral-2 · analyzed Feb 19, 2026 Full analysis →

Nuclei Templates (1)

Sophos UTM Preauth - Remote Code Execution
CRITICALby gy741
Shodan: http.title:"securepoint utm"
FOFA: title="securepoint utm"

References (6)

Core 6

Scores

CVSS v3 9.8
EPSS 0.9429
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2022-03-25
VulnCheck KEV 2022-03-25
InTheWild.io 2022-03-25
ENISA EUVD EUVD-2020-17913
CWE
CWE-78
Status published
Products (4)
sophos/unified_threat_management 9.511
sophos/unified_threat_management 9.607
sophos/unified_threat_management 9.705
sophos/unified_threat_management < 9.511
Published Sep 25, 2020
KEV Added Mar 25, 2022
Tracked Since Feb 18, 2026