CVE-2020-12271 — Sophos SFOS SQL Injection Vulnerability

CVE-2020-12271

Sophos XG Firewall SFOS — Zero-Day SQL Injection Exploited by Chinese APT Before Patch

What is Sophos XG Firewall SFOS?

Sophos Firewall OS (SFOS) is the operating system powering Sophos XG Firewall appliances — enterprise next-generation firewalls deployed at the network perimeter of corporate, government, educational, and critical infrastructure networks. The Admin Portal and User Portal are web interfaces built into SFOS; when exposed on the WAN (internet-facing) zone, they allow administrators and VPN users to manage the device and download VPN clients remotely. This WAN exposure makes them reachable attack surfaces for unauthenticated attackers.

Overview

CVE-2020-12271 is a SQL injection vulnerability (CWE-89) in Sophos SFOS that was exploited as a zero-day before Sophos was even aware of it. In April 2020, Sophos discovered the exploitation only after a customer reported unusual system table data. A Chinese APT (the "Asnarok" campaign) had already deployed custom implant malware to thousands of XG Firewall devices before Sophos issued its first public advisory. Sophos pushed an automatic hotfix within three days of discovering the attack.

This was one of the highest-profile zero-day exploitation campaigns against network perimeter devices of 2020.

Affected Versions

Component Vulnerable Hotfixed / Fixed
Sophos SFOS All versions with Admin/User Portal on WAN Hotfix deployed April 25, 2020

The vulnerability exists when either the Administration (HTTPS) service or the User Portal is configured to be accessible from the WAN zone.

Technical Details

SFOS's Admin Portal and User Portal use a PostgreSQL-backed web application. The SQL injection vulnerability exists in one or more database queries that handle unauthenticated HTTP requests — specifically in form fields or parameters processed before any authentication check occurs.

The Asnarok threat actor exploited the injection to:

  1. Exfiltrate credentials: The SQL injection allowed dumping usernames and salted-hash passwords for local device administrators, portal administrators, and remote access user accounts (not AD/LDAP passwords stored on external servers)
  2. Deploy malware persistence: After exfiltrating credentials, the attackers used a multi-stage payload delivery to install the Asnarok implant — a persistent rootkit-level malware designed to survive reboots and access credential data
  3. Trojanized hotfix attempt: The attackers attempted to deliver a malicious firmware update that appeared as a legitimate Sophos hotfix, which would have maintained access even after patching

Discovery

Sophos's own security team discovered the attack on April 22, 2020, when a customer reported unexpected data in a system table — data that turned out to be Asnarok malware staging its payload. Sophos reverse-engineered the intrusion, traced it to the SQL injection, and deployed an automatic hotfix to internet-connected XG Firewalls by April 25 — just three days after discovery. The attacker's trojanized hotfix delivery attempt was blocked.

Sophos and third-party researchers attributed the campaign to a Chinese APT with characteristics overlapping with APT41 / Winnti / BARIUM group activity, though no public formal attribution was made.

Exploitation Context

This was a sophisticated, targeted zero-day campaign:

  • Attackers had pre-exploit access to the vulnerability before public disclosure
  • Asnarok malware was designed specifically for SFOS — not a generic tool
  • The credential exfiltration suggests intelligence-gathering intent (nation-state profile)
  • Sophos estimated thousands of XG Firewall devices were affected globally

CISA's classification includes ransomwareUse: true, indicating that beyond the initial state-sponsored campaign, CVE-2020-12271 was also later used by ransomware operators for initial access.

Remediation

  1. Verify hotfix status: Check the XG Firewall admin console (Administration → Firmware) to confirm the April 25, 2020 hotfix or a newer firmware version is applied.
  2. Remove Admin Portal from WAN: Unless absolutely required, disable Admin Portal access from the WAN zone in System → Administration → Device Access.
  3. Rotate all credentials: Assume all local admin, portal admin, and remote access user passwords stored on the device were exfiltrated. Rotate them immediately.
  4. Hunt for Asnarok: Sophos published IoCs for the Asnarok malware; check for the specific files, processes, and network connections documented in Sophos's May 21, 2020 analysis.
  5. Verify firmware integrity: Sophos provided a tool to verify firmware integrity; use it if there is any concern about tampered firmware being applied.
  6. Restrict portal to VPN-only access: Require users to connect via VPN before accessing the User Portal, eliminating the internet-exposed attack surface.

Key Details

PropertyValue
CVE ID CVE-2020-12271
Vendor / Product Sophos — SFOS
NVD Published2020-04-27
NVD Last Modified2025-11-07
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-89 find similar ↗
CISA KEV Added2021-11-03
CISA KEV Deadline2022-05-03
Known Ransomware Use ⚠️ Yes

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-05-03. Apply updates per vendor instructions.

Timeline

DateEvent
2020-04-22Sophos discovers zero-day exploitation; Asnarok malware already deployed
2020-04-25Sophos deploys automatic hotfix to internet-connected XG Firewalls
2020-04-27CVE-2020-12271 published; Sophos issues public advisory
2020-05-21Sophos publishes detailed Asnarok malware analysis
2021-11-03Added to CISA Known Exploited Vulnerabilities catalog
2022-05-03CISA BOD 22-01 remediation deadline