CVE-2022-3980

CRITICAL EXPLOITED NUCLEI

Sophos Mobile < 9.7.5 - XXE

Title source: rule

Description

An XML External Entity (XEE) vulnerability allows server-side request forgery (SSRF) and potential code execution in Sophos Mobile managed on-premises between versions 5.0.0 and 9.7.4.

Nuclei Templates (1)

Sophos Mobile managed on-premises - XML External Entity Injection

CRITICALVERIFIEDby dabla

Shodan: http.favicon.hash:-1274798165 || http.title:"sophos mobile"

FOFA: title="Sophos Mobile" || icon_hash=-1274798165 || title="sophos mobile"

References (1)

[Patch, Vendor Advisory] https://www.sophos.com/en-us/security-advisories/sophos-sa-20221116-smc-xee

Scores

CVSS v3 9.8

EPSS 0.8796

EPSS Percentile 99.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2023-11-13

CWE

CWE-611

Status published

Products (1)

sophos/mobile 5.0.0 - 9.7.5

Published Nov 16, 2022

Tracked Since Feb 18, 2026