CVE-2020-15069 — Sophos XG Firewall Buffer Overflow Vulnerability

CVE-2020-15069

Sophos XG Firewall — Unauthenticated RCE via HTTP/S Bookmark Buffer Overflow

What is Sophos XG Firewall?

Sophos XG Firewall is an enterprise next-generation firewall (NGFW) and unified threat management (UTM) appliance widely deployed in corporate, educational, and government networks. XG Firewall provides SSL VPN remote access, web filtering, intrusion prevention, and WAF capabilities. Its User Portal — a self-service web interface that allows employees to download VPN clients and configure remote access — is typically exposed on the internet, making it a recurring target for threat actors seeking initial network access.

Overview

CVE-2020-15069 is a buffer overflow (CWE-120) in Sophos XG Firewall's User Portal, specifically in the handling of HTTP/S bookmarks — a feature that allows the portal to proxy web traffic to internal resources. Unauthenticated attackers who can reach the User Portal can exploit the overflow to achieve remote code execution. The vulnerability was patched in June 2020 but added to CISA's KEV catalog in February 2025, reflecting exploitation in the context of a sustained campaign against Sophos XG Firewall devices.

Affected Versions

Component Vulnerable Fixed
Sophos XG Firewall v17.x, v18.0 (pre-MR1) v17.x hotfix, v18.0 MR1+

Sophos deployed an automatic hotfix to internet-connected devices; organizations with offline appliances or disabled automatic updates required manual patching.

Technical Details

The HTTP/S bookmark feature in the XG Firewall User Portal allows the portal to act as a reverse proxy for internal web resources. When processing a crafted HTTP request destined for a configured bookmark, the User Portal's request-parsing code performs an unsafe memory copy into a fixed-size buffer without bounds checking. A specially crafted request with an oversized value in a specific HTTP header or URL component overflows the buffer, overwriting adjacent memory and enabling control-flow hijacking.

Because the User Portal process handles connections from the WAN interface — where users authenticate before downloading VPN clients — the vulnerable code path is reachable without any credentials, giving this vulnerability its unauthenticated CVSS 9.8 rating.

Discovery

The vulnerability was discovered and reported in June 2020. Sophos deployed an automatic hotfix to connected XG Firewall devices and published a security advisory the same day (June 29, 2020). CISA added it to the KEV catalog in February 2025 when active exploitation was confirmed in fresh intrusion campaigns, nearly five years after the initial patch.

Exploitation Context

Sophos XG Firewall has been a sustained target for sophisticated threat actors throughout the 2020s. The broader XG exploitation campaign — which began in April 2020 with CVE-2020-12271 (SQL injection, exploited as a zero-day by a Chinese APT deploying the Asnarok implant) — demonstrated that state-sponsored actors had deep knowledge of Sophos XG's internals. CVE-2020-15069 was added to CISA's KEV in 2025 alongside other legacy Sophos vulnerabilities, indicating ongoing exploitation of unpatched or end-of-life XG Firewall deployments in enterprise and government networks.

Remediation

  1. Apply the hotfix/upgrade: Ensure the June 2020 hotfix is applied or upgrade to v18.0 MR1 or later. Check the admin console under Administration → Firmware to confirm the applied version.
  2. Restrict User Portal exposure: If SSL VPN access is not required from the internet, restrict or disable the User Portal's WAN-facing access in Device Access settings.
  3. Enable automatic hotfixes: Ensure Sophos automatic update delivery is enabled so future security hotfixes are applied without manual intervention.
  4. Check for compromise: Review XG Firewall logs for unusual administrative activity, unexpected configuration changes, or traffic to unknown external IPs — particularly patterns consistent with persistent implant callbacks.
  5. End-of-life planning: XG Firewall has reached end-of-sale; organizations should evaluate migration to Sophos Firewall (the successor product) which receives ongoing security updates.

Key Details

PropertyValue
CVE ID CVE-2020-15069
Vendor / Product Sophos — XG Firewall
NVD Published2020-06-29
NVD Last Modified2025-11-07
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-120 find similar ↗
CISA KEV Added2025-02-06
CISA KEV Deadline2025-02-27
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2025-02-27. Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Timeline

DateEvent
2020-06-29CVE-2020-15069 published; Sophos releases hotfix
2025-02-06Added to CISA Known Exploited Vulnerabilities catalog
2025-02-27CISA BOD 22-01 remediation deadline