.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
Critical
Resolved SQLi in Cyberoam OS WebAdmin (CVE-2020-29574)
CVE(S)
CVE-2020-29574
PRODUCT(S)
Cyberoam OS Devices
Updated
2020 Dec 10
Article Version
1
First Published
2020 Dec 10
Publication ID
sophos-sa-20201210-cyberoam-webadmin-sqli
Workaround
No
Overview
An SQL Injection vulnerability in the WebAdmin of Cyberoam OS was recently discovered and has been patched through a hotfix. On some systems, this may have been used to create an unrecognized account.
Applies to the following Sophos product(s) and version(s)
- All Cyberoam OS devices
Remediation
- Hotfix distributed to all supported Cyberoam OS devices starting December 4, 2020
- Hotfix also distributed to unsupported EOL Cyberoam versions 10.6.2 and later
- Additionally, Sophos recommends that Cyberoam customers upgrade to XG Firewall v17.5 or the latest available Cyberoam OS release
Recommendation
Customers can further protect themselves by ensuring their Web Admin and SSH access is not exposed to WAN (System > Administration > Appliance Access).
Related Information
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29574
Sophos Responsible Disclosure Policy
To learn about Sophos security vulnerability disclosure policies and publications, see the Responsible Disclosure Policy.