CVE-2023-1671

CRITICAL KEV NUCLEI

Sophos Web Appliance <4.3.10.4 - Command Injection

Title source: llm

Exploitation Summary

CVE-2023-1671 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 16, 2023. EIP tracks 5 public exploits from researchers including Behnam Abasi Vanda, W01fh4cker, ohnonoyesyes. A Nuclei detection template is also available.

AI-analyzed exploit summary This script exploits a pre-authentication command injection vulnerability in Sophos Web Appliance versions older than 4.3.10.4 (CVE-2023-1671). It uses DNS exfiltration via dnslog.cn to confirm successful command injection by pinging a generated subdomain.

Description

A pre-auth command injection vulnerability in the warn-proceed handler of Sophos Web Appliance older than version 4.3.10.4 allows execution of arbitrary code.

Exploits (5)

exploitdb WORKING POC

by Behnam Abasi Vanda · bashwebappsphp

https://www.exploit-db.com/exploits/51396

View Code ZIP pw:eip

This script exploits a pre-authentication command injection vulnerability in Sophos Web Appliance versions older than 4.3.10.4 (CVE-2023-1671). It uses DNS exfiltration via dnslog.cn to confirm successful command injection by pinging a generated subdomain.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Sophos Web Appliance < 4.3.10.4

No auth needed

Prerequisites: Target list file with vulnerable Sophos Web Appliance instances

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 17 stars

by W01fh4cker · remote

https://github.com/W01fh4cker/CVE-2023-1671-POC

View Code ZIP pw:eip

This PoC exploits CVE-2023-1671, a pre-auth RCE vulnerability in Sophos Web Appliance, by injecting a command via a base64-encoded payload in the 'user_encoded' parameter. It uses DNS exfiltration to confirm vulnerability.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Sophos Web Appliance

No auth needed

Prerequisites: Target URL · DNSLog domain (optional)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 5 stars

by ohnonoyesyes · remote

https://github.com/ohnonoyesyes/CVE-2023-1671

View Code ZIP pw:eip

This PoC demonstrates a pre-authentication remote code execution (RCE) vulnerability in Sophos Web Appliance by injecting a reverse shell command via the `user_encoded` parameter, which is base64-encoded and executed on the target system.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Sophos Web Appliance (version not specified)

No auth needed

Prerequisites: Network access to the target · Target running vulnerable Sophos Web Appliance

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by csffs · remote

https://github.com/csffs/cve-2023-1671

View Code ZIP pw:eip

This repository contains a Python-based exploit for CVE-2023-1671, which leverages a command injection vulnerability in ClearSwift SECURE Email Gateway due to improper handling of user input in the `user_encoded` parameter. The exploit demonstrates both vulnerability testing (via DNS log ping) and arbitrary command execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ClearSwift SECURE Email Gateway

No auth needed

Prerequisites: Network access to the target system · Vulnerable version of ClearSwift SECURE Email Gateway

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

vulncheck_xdb WORKING POC

remote

https://github.com/behnamvanda/CVE-2023-1671

View Code ZIP pw:eip

This repository contains a functional exploit script for CVE-2023-1671, a pre-authentication command injection vulnerability in Sophos Web Appliance versions older than 4.3.10.4. The script automates the exploitation process by generating a DNS subdomain for callback verification and sending a crafted request to trigger the command injection.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Sophos Web Appliance < 4.3.10.4

No auth needed

Prerequisites: target list file with hostnames/IPs · internet access for DNS callback verification

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 25, 2026 Full analysis →

Nuclei Templates (1)

Sophos Web Appliance - Remote Code Execution

CRITICALVERIFIEDby Co5mos

Shodan: title:"Sophos Web Appliance" || http.title:"sophos web appliance" || http.favicon.hash:-893681401

FOFA: title="Sophos Web Appliance" || title="sophos web appliance" || icon_hash=-893681401

References (3)

Core 3

Core References

Exploit, Third Party Advisory, VDB Entry

http://packetstormsecurity.com/files/172016/Sophos-Web-Appliance-4.3.10.4-Command-Injection.html

Vendor Advisory

https://www.sophos.com/en-us/security-advisories/sophos-sa-20230404-swa-rce

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-1671

Scores

CVSS v3 9.8

EPSS 0.9430

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2023-11-16

VulnCheck KEV 2023-11-16

InTheWild.io 2023-11-16

ENISA EUVD EUVD-2023-23899

CWE

CWE-77

Status published

Products (1)

sophos/web_appliance < 4.3.10.4

Published Apr 04, 2023

KEV Added Nov 16, 2023

Tracked Since Feb 18, 2026