Sophos has seven CISA KEV entries. Five hit the same management interface.
The User Portal and Webadmin surface runs through SQL injection, buffer overflow, authentication bypass, and code injection across five years. Chinese state actors exploited several of them as zero-days, and the exploitation often started before Sophos knew about the bugs.
In December 2024, the Department of Justice indicted a Chinese national named Guan Tianfeng for developing a zero-day exploit that compromised approximately 81,000 Sophos firewalls. More than 23,000 of those were in the United States, including 36 serving critical infrastructure. The vulnerability, CVE-2020-12271, was a pre-authentication SQL injection in the Sophos XG Firewall that activated when the admin service or User Portal was exposed on the WAN. Guan worked for Sichuan Silence Information Technology, a Chengdu-based contractor that provides services to Chinese intelligence agencies. According to the Sophos Pacific Rim report published in October 2024, Sophos had received a bug bounty submission about CVE-2020-12271 from researchers at Sichuan Silence’s Double Helix Research Institute in April 2020. Exploitation began the next day.
That timeline, bug bounty in the morning, mass exploitation by afternoon, is the most direct evidence of what the Sophos Firewall management interface has been dealing with.
The seven entries
Sophos has seven entries in the CISA Known Exploited Vulnerabilities catalog across its firewall products, spanning 2020 to 2023. They break down across two clusters.
The management portal cluster. Five entries involve the internet-facing management surfaces: the User Portal, the Webadmin console, or both.
- CVE-2020-12271: Pre-auth SQL injection in SFOS when the admin service or User Portal is exposed on the WAN. Allows remote code execution and exfiltration of local account credentials including hashed passwords. Added to KEV November 2021. CISA lists this with known ransomware use.
- CVE-2020-15069: Buffer overflow in the XG Firewall User Portal, specifically the HTTP/S bookmark feature. Allows remote code execution. Added to KEV February 2025.
- CVE-2020-25223: Remote code execution in the WebAdmin of Sophos SG UTM. Added to KEV March 2022.
- CVE-2022-1040: Authentication bypass in the User Portal and Webadmin of Sophos Firewall, CVSS 9.8. Allows remote code execution without authentication. Added to KEV March 2022.
- CVE-2022-3236: Code injection in the User Portal and Webadmin, CVSS 9.8. Allows remote code execution via malformed JSON in a controller endpoint. Added to KEV September 2022.
Outside the management portal. Two entries hit different surfaces: CVE-2023-1671 is a command injection in the Sophos Web Appliance’s warn-proceed handler, added to KEV November 2023. CVE-2020-29574 is a SQL injection in the WebAdmin of CyberoamOS, an end-of-life product that Sophos acquired and has since deprecated. No fix is available for the CyberoamOS entry; CISA’s remediation guidance is to discontinue use.
The pattern underneath the list
Five bugs across five years in the same two components, User Portal and Webadmin, across different vulnerability classes: SQL injection, buffer overflow, authentication bypass, code injection. These are not the same root cause showing up repeatedly. They are different failure modes in the same interface.
SQL injection from a malformed query parameter and a buffer overflow in a bookmark feature are structurally unrelated bugs. They suggest separate code paths, separate authors, and separate review gaps, all landing in the same internet-facing management surface. The interface that a Sophos Firewall exposes to the WAN for user login and administrative tasks has produced exploitable critical vulnerabilities in every year from 2020 through 2022, with the 2020 vintage still landing in the KEV catalog as late as February 2025.
The more interesting detail is who was looking. Chinese state actors had clearly catalogued this surface as productive well before Sophos had reason to prioritize hardening it. The zero-day use pattern, exploitation beginning before or immediately after vulnerability disclosure, is not an accident. It reflects deliberate investment in this attack surface.
What the attribution shows
Sophos’s Pacific Rim report, published October 31, 2024, documented more than five years of Chinese state actor campaigns targeting Sophos perimeter devices. The attackers’ tactics and tools showed overlapping characteristics with Volt Typhoon, APT31, and APT41. Targets included nuclear energy suppliers, a major airport, a military hospital, and central government ministries, primarily in South and Southeast Asia.
CVE-2022-1040 was exploited by DriftingCloud, a Chinese APT, beginning roughly three weeks before Sophos published the patch in March 2022. Volexity identified the active exploitation while investigating a compromise at a South Asian organization: the attacker had used the zero-day to install webshell backdoors and then pivoted to cloud-hosted infrastructure outside the firewall’s perimeter. In that case the firewall was the entry point, not an obstacle.
CVE-2022-3236 followed six months later. Sophos observed active exploitation in a small set of organizations before publication, again in the South Asia region.
The Pacific Rim report described Sophos’s counter-response, deploying forensic tooling onto compromised devices to monitor attacker behavior, working with European law enforcement to seize a command-and-control server used in the Asnarök campaign tied to CVE-2020-12271, and tracing exploit development back to academic research institutions in Sichuan province. The DOJ’s December 2024 indictment of Guan Tianfeng and Treasury’s simultaneous sanctions against Sichuan Silence translated that attribution into legal action. OFAC offered up to $10 million for information on individuals engaged in malicious cyber activity against US critical infrastructure; Guan’s work on CVE-2020-12271 was the specific predicate.
What this means for prioritization
The structural observation is that the Sophos Firewall management interface has been a productive target for state-level adversaries across multiple years and multiple vulnerability classes. Patching individual CVEs is necessary but does not address the underlying exposure: the interface itself, when accessible from the internet, is the lever.
For admins running Sophos firewalls:
Management interface exposure is the first question. The User Portal and Webadmin should not be reachable from the WAN. Three of the five management-portal KEV entries, CVE-2020-12271, CVE-2022-1040, and CVE-2022-3236, explicitly require that the admin service or User Portal be exposed on the WAN zone for exploitation to work. Pulling those off the internet eliminates the attack path for those three CVEs regardless of patch state.
Sophos advisories warrant immediate action. The exploitation timeline across these CVEs, particularly the zero-day use in CVE-2022-1040 and the same-day exploitation in CVE-2020-12271, means that the window between advisory publication and active exploitation can be measured in hours or days. Treat Sophos security advisories as same-day patch events for any internet-facing installation.
EoL products have no path forward. CVE-2020-29574 in CyberoamOS will not receive a patch. CISA’s guidance is to discontinue use. If CyberoamOS hardware is still in production, the management interface risk has no remediation other than replacement.
Assume prior exposure if you ran unpatched through any of these windows. Given the scale of the Asnarök campaign (81,000 firewalls), any XG Firewall that was internet-facing with the admin service exposed and unpatched through 2020 should be treated as potentially compromised, with attention to the credential exfiltration that CVE-2020-12271 enabled. The hashed passwords extracted in that campaign covered local admins, portal admins, and VPN users.
The fact that Sophos was running a counter-intelligence operation against these actors for years while the bugs kept appearing in the same interface is notable. Not as a criticism, state-level adversaries are a hard problem. But as evidence that the adversaries had identified the management surface as reliably productive and kept returning to it. Five CVE entries across five years in the same interface is confirmation of their assessment.
PatchDayAlert tracks Sophos KEV additions as they land and flags active exploitation in the daily digest.
Sources
- DOJ: China-Based Hacker Charged for Exploiting Zero-Day in Sophos Firewalls — 2024-12-10
- Sophos Pacific Rim: TTPs Used to Neutralize China-Based Threats — 2024-10-31
- Sophos Pacific Rim Timeline — 2024-10-31
- The Hacker News: US Charges Chinese Hacker for 81,000 Sophos Firewalls — 2024-12-10
- The Hacker News: Chinese Hackers Exploited Sophos Firewall Zero-Day (CVE-2022-1040) — 2022-06-16
- Sophos Security Advisory: CVE-2022-3236 (SFOS RCE) — 2022-09-23
- NVD: CVE-2020-12271
- NVD: CVE-2022-1040
- NVD: CVE-2020-15069
- NVD: CVE-2020-25223
- NVD: CVE-2020-29574
- NVD: CVE-2023-1671
- CISA Known Exploited Vulnerabilities Catalog
Share
Related field notes
-
Patching the Fortinet auth bypass doesn't remove the admin account the attacker added
CVE-2022-40684 let unauthenticated attackers act as administrator on FortiOS, FortiProxy, and FortiSwitchManager by spoofing trusted headers. The exploit's payoff was planting an SSH key or super-admin account, so patching after exposure leaves the back door in place.
-
Three root shells in seven months. All from the same firewall.
CVE-2024-3400, CVE-2024-0012, and CVE-2024-9474 gave attackers unauthenticated root on Palo Alto firewalls twice in 2024. The pattern isn't bad luck. It's the architecture.
-
CISA says patch by Friday. Palo Alto's fix ships next Tuesday.
CVE-2026-0300 is an unauthenticated RCE in PAN-OS Captive Portal, exploited since April 9 by a state-aligned actor. The KEV deadline is May 9. The first patch lands May 13. Here's what to do with the four days in between.
Get the free CVE triage cheat sheet
Subscribe and we'll email you the one-page triage flow for fresh CVEs. Plus the weekly digest.
Subscribe