What is Sophos XG Firewall SFOS?
Sophos Firewall OS (SFOS) is the operating system powering Sophos XG Firewall appliances — enterprise next-generation firewalls deployed at the network perimeter of corporate, government, educational, and critical infrastructure networks. The Admin Portal and User Portal are web interfaces built into SFOS; when exposed on the WAN (internet-facing) zone, they allow administrators and VPN users to manage the device and download VPN clients remotely. This WAN exposure makes them reachable attack surfaces for unauthenticated attackers.
Overview
CVE-2020-12271 is a SQL injection vulnerability (CWE-89) in Sophos SFOS that was exploited as a zero-day before Sophos was even aware of it. In April 2020, Sophos discovered the exploitation only after a customer reported unusual system table data. A Chinese APT (the "Asnarok" campaign) had already deployed custom implant malware to thousands of XG Firewall devices before Sophos issued its first public advisory. Sophos pushed an automatic hotfix within three days of discovering the attack.
This was one of the highest-profile zero-day exploitation campaigns against network perimeter devices of 2020.
Affected Versions
| Component | Vulnerable | Hotfixed / Fixed |
|---|---|---|
| Sophos SFOS | All versions with Admin/User Portal on WAN | Hotfix deployed April 25, 2020 |
The vulnerability exists when either the Administration (HTTPS) service or the User Portal is configured to be accessible from the WAN zone.
Technical Details
SFOS's Admin Portal and User Portal use a PostgreSQL-backed web application. The SQL injection vulnerability exists in one or more database queries that handle unauthenticated HTTP requests — specifically in form fields or parameters processed before any authentication check occurs.
The Asnarok threat actor exploited the injection to:
- Exfiltrate credentials: The SQL injection allowed dumping usernames and salted-hash passwords for local device administrators, portal administrators, and remote access user accounts (not AD/LDAP passwords stored on external servers)
- Deploy malware persistence: After exfiltrating credentials, the attackers used a multi-stage payload delivery to install the Asnarok implant — a persistent rootkit-level malware designed to survive reboots and access credential data
- Trojanized hotfix attempt: The attackers attempted to deliver a malicious firmware update that appeared as a legitimate Sophos hotfix, which would have maintained access even after patching
Discovery
Sophos's own security team discovered the attack on April 22, 2020, when a customer reported unexpected data in a system table — data that turned out to be Asnarok malware staging its payload. Sophos reverse-engineered the intrusion, traced it to the SQL injection, and deployed an automatic hotfix to internet-connected XG Firewalls by April 25 — just three days after discovery. The attacker's trojanized hotfix delivery attempt was blocked.
Sophos and third-party researchers attributed the campaign to a Chinese APT with characteristics overlapping with APT41 / Winnti / BARIUM group activity, though no public formal attribution was made.
Exploitation Context
This was a sophisticated, targeted zero-day campaign:
- Attackers had pre-exploit access to the vulnerability before public disclosure
- Asnarok malware was designed specifically for SFOS — not a generic tool
- The credential exfiltration suggests intelligence-gathering intent (nation-state profile)
- Sophos estimated thousands of XG Firewall devices were affected globally
CISA's classification includes ransomwareUse: true, indicating that beyond the initial state-sponsored campaign, CVE-2020-12271 was also later used by ransomware operators for initial access.
Remediation
- Verify hotfix status: Check the XG Firewall admin console (Administration → Firmware) to confirm the April 25, 2020 hotfix or a newer firmware version is applied.
- Remove Admin Portal from WAN: Unless absolutely required, disable Admin Portal access from the WAN zone in System → Administration → Device Access.
- Rotate all credentials: Assume all local admin, portal admin, and remote access user passwords stored on the device were exfiltrated. Rotate them immediately.
- Hunt for Asnarok: Sophos published IoCs for the Asnarok malware; check for the specific files, processes, and network connections documented in Sophos's May 21, 2020 analysis.
- Verify firmware integrity: Sophos provided a tool to verify firmware integrity; use it if there is any concern about tampered firmware being applied.
- Restrict portal to VPN-only access: Require users to connect via VPN before accessing the User Portal, eliminating the internet-exposed attack surface.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2020-12271 |
| Vendor / Product | Sophos — SFOS |
| NVD Published | 2020-04-27 |
| NVD Last Modified | 2025-11-07 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-89 find similar ↗ |
| CISA KEV Added | 2021-11-03 |
| CISA KEV Deadline | 2022-05-03 |
| Known Ransomware Use | ⚠️ Yes |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2020-04-22 | Sophos discovers zero-day exploitation; Asnarok malware already deployed |
| 2020-04-25 | Sophos deploys automatic hotfix to internet-connected XG Firewalls |
| 2020-04-27 | CVE-2020-12271 published; Sophos issues public advisory |
| 2020-05-21 | Sophos publishes detailed Asnarok malware analysis |
| 2021-11-03 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-05-03 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Sophos — Actively Exploited XG Firewall Zero-Day Fix | Vendor Advisory |
| NVD — CVE-2020-12271 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Sophos — Asnarok Malware Analysis | Security Research |