SophosCVEs & Vulnerabilities

169 CVEs affecting Sophos products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

web appliance firmware 235sophos anti-virus 171anti-virus 166web appliance 93safeguard enterprise client 42unified threat management 28safeguard easy device encryption client 24safeguard lan crypt client 21
CVE-2022-3980KEVCRITICALin the wild

An XML External Entity (XEE) vulnerability allows server-side request forgery (SSRF) and potential code execution in Sophos Mobile managed on-premises between versions 5.0.0 and 9.7.4.

11 Apr 2026
9.8
CVSS
CVE-2025-7624CRITICAL

An SQL injection vulnerability in the legacy (transparent) SMTP proxy of Sophos Firewall versions older than 21.0 MR2 (21.0.2) can lead to remote code execution, if a quarantining policy is active for Email and SFOS was upgraded from a version older than 21.0 GA.

21 Jul 2025
9.8
CVSS
CVE-2025-7382HIGH

A command injection vulnerability in WebAdmin of Sophos Firewall versions older than 21.0 MR2 (21.0.2) can lead to adjacent attackers achieving pre-auth code execution on High Availability (HA) auxiliary devices, if OTP authentication for the admin user is enabled.

21 Jul 2025
8.8
CVSS
CVE-2025-6704CRITICAL

An arbitrary file writing vulnerability in the Secure PDF eXchange (SPX) feature of Sophos Firewall versions older than 21.0 MR2 (21.0.2) can lead to pre-auth remote code execution, if a specific configuration of SPX is enabled in combination with the firewall running in High Availability (HA) mode.

21 Jul 2025
9.8
CVSS
CVE-2024-13974HIGH

A business logic vulnerability in the Up2Date component of Sophos Firewall older than version 21.0 MR1 (20.0.1) can lead to attackers controlling the firewall’s DNS environment to achieve remote code execution.

21 Jul 2025
8.1
CVSS
CVE-2024-13973HIGH

A post-auth SQL injection vulnerability in WebAdmin of Sophos Firewall versions older than 21.0 MR1 (21.0.1) can potentially lead to administrators achieving arbitrary code execution.

21 Jul 2025
7.2
CVSS
CVE-2024-13861HIGH

A code injection vulnerability in the Debian package component of Taegis Endpoint Agent (Linux) versions older than 1.3.10 allows local users arbitrary code execution as root. Redhat-based systems using RPM packages are not affected.

11 Apr 2025
7.8
CVSS
CVE-2020-29574KEVCRITICALin the wild

An SQL injection vulnerability in the WebAdmin of Cyberoam OS through 2020-12-04 allows unauthenticated attackers to execute arbitrary SQL statements remotely.

6 Feb 2025
9.8
CVSS
CVE-2020-15069KEVCRITICALin the wild

Sophos XG Firewall 17.x through v17.5 MR12 allows a Buffer Overflow and remote code execution via the HTTP/S Bookmarks feature for clientless access. Hotfix HF062020.1 was published for all firewalls running v17.x.

6 Feb 2025
9.8
CVSS
CVE-2024-12729HIGH

A post-auth code injection vulnerability in the User Portal allows authenticated users to execute code remotely in Sophos Firewall older than version 21.0 MR1 (21.0.1).

20 Dec 2024
8.8
CVSS
CVE-2024-12728CRITICAL

A weak credentials vulnerability potentially allows privileged system access via SSH to Sophos Firewall older than version 20.0 MR3 (20.0.3).

20 Dec 2024
9.8
CVSS
CVE-2024-12727CRITICAL

A pre-auth SQL injection vulnerability in the email protection feature of Sophos Firewall versions older than 21.0 MR1 (21.0.1) allows access to the reporting database and can lead to remote code execution if a specific configuration of Secure PDF eXchange (SPX) is enabled in combination with the firewall running in High Availability (HA) mode.

20 Dec 2024
9.8
CVSS
CVE-2021-36806MEDIUM

A reflected XSS vulnerability allows an open redirect when the victim clicks a malicious link to an error page on Sophos Email Appliance older than version 4.5.3.4.

30 Nov 2023
6.1
CVSS
CVE-2023-1671KEVCRITICALin the wild

A pre-auth command injection vulnerability in the warn-proceed handler of Sophos Web Appliance older than version 4.3.10.4 allows execution of arbitrary code.

16 Nov 2023
9.8
CVSS
CVE-2023-5552HIGH

A password disclosure vulnerability in the Secure PDF eXchange (SPX) feature allows attackers with full email access to decrypt PDFs in Sophos Firewall version 19.5 MR3 (19.5.3) and older, if the password type is set to “Specified by sender”.

18 Oct 2023
7.5
CVSS
CVE-2023-33335MEDIUM

Cross Site Scripting (XSS) in Sophos Sophos iView (The EOL was December 31st 2020) in grpname parameter that allows arbitrary script to be executed.

5 Jul 2023
6.1
CVSS
CVE-2023-33336MEDIUM

Reflected cross site scripting (XSS) vulnerability was discovered in Sophos Web Appliance v4.3.9.1 that allows for arbitrary code to be inputted via the double quotes.

30 Jun 2023
4.8
CVSS
CVE-2022-4934HIGH

A post-auth command injection vulnerability in the exception wizard of Sophos Web Appliance older than version 4.3.10.4 allows administrators to execute arbitrary code.

4 Apr 2023
7.2
CVSS
CVE-2020-36692MEDIUM

A reflected XSS via POST vulnerability in report scheduler of Sophos Web Appliance versions older than 4.3.10.4 allows execution of JavaScript code in the victim browser via a malicious form that must be manually submitted by the victim while logged in to SWA.

4 Apr 2023
5.4
CVSS
CVE-2022-4901MEDIUM

Multiple stored XSS vulnerabilities in Sophos Connect versions older than 2.2.90 allow Javascript code to run in the local UI via a malicious VPN configuration that must be manually loaded by the victim.

1 Mar 2023
6.1
CVSS
CVE-2022-48310MEDIUM

An information disclosure vulnerability allows sensitive key material to be included in technical support archives in Sophos Connect versions older than 2.2.90.

1 Mar 2023
5.5
CVSS
CVE-2022-48309MEDIUM

A CSRF vulnerability allows malicious websites to retrieve logs and technical support archives in Sophos Connect versions older than 2.2.90.

1 Mar 2023
4.3
CVSS
CVE-2022-3713HIGH

A code injection vulnerability allows adjacent attackers to execute code in the Wifi controller of Sophos Firewall releases older than version 19.5 GA.

1 Dec 2022
8.8
CVSS
CVE-2022-3711MEDIUM

A post-auth read-only SQL injection vulnerability allows users to read non-sensitive configuration database contents in the User Portal of Sophos Firewall releases older than version 19.5 GA.

1 Dec 2022
4.3
CVSS
CVE-2022-3710LOW

A post-auth read-only SQL injection vulnerability allows API clients to read non-sensitive configuration database contents in the API controller of Sophos Firewall releases older than version 19.5 GA.

1 Dec 2022
2.7
CVSS
CVE-2022-3709HIGH

A stored XSS vulnerability allows admin to super-admin privilege escalation in the Webadmin import group wizard of Sophos Firewall releases older than version 19.5 GA.

1 Dec 2022
8.4
CVSS
CVE-2022-3696HIGH

A post-auth code injection vulnerability allows admins to execute code in Webadmin of Sophos Firewall releases older than version 19.5 GA.

1 Dec 2022
7.2
CVSS
CVE-2022-3226HIGH

An OS command injection vulnerability allows admins to execute code via SSL VPN configuration uploads in Sophos Firewall releases older than version 19.5 GA.

1 Dec 2022
7.2
CVSS
CVE-2022-3236KEVCRITICALin the wild

A code injection vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v19.0 MR1 and older.

23 Sep 2022
9.8
CVSS
CVE-2022-1807HIGH

Multiple SQLi vulnerabilities in Webadmin allow for privilege escalation from admin to super-admin in Sophos Firewall older than version 18.5 MR4 and version 19.0 MR1.

7 Sep 2022
7.2
CVSS
CVE-2021-25268HIGH

Multiple XSS vulnerabilities in Webadmin allow for privilege escalation from MySophos admin to SFOS admin in Sophos Firewall older than version 19.0 GA.

5 May 2022
8.4
CVSS
CVE-2021-25267HIGH

Multiple XSS vulnerabilities in Webadmin allow for privilege escalation from admin to super-admin in Sophos Firewall older than version 19.0 GA.

5 May 2022
8.4
CVSS
CVE-2021-25266LOW

An insecure data storage vulnerability allows a physical attacker with root privileges to retrieve TOTP secret keys from unlocked phones in Sophos Authenticator for Android version 3.4 and older, and Intercept X for Mobile (Android) before version 9.7.3495.

27 Apr 2022
3.9
CVSS
CVE-2022-1040KEVCRITICALin the wild

An authentication bypass vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v18.5 MR3 and older.

31 Mar 2022
9.8
CVSS
CVE-2022-0331MEDIUM

An information disclosure vulnerability in Webadmin allows an unauthenticated remote attacker to read the device serial number in Sophos Firewall version v18.5 MR2 and older.

29 Mar 2022
5.3
CVSS
CVE-2020-25223KEVCRITICALin the wild

A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM before v9.705 MR5, v9.607 MR7, and v9.511 MR11

25 Mar 2022
9.8
CVSS
CVE-2022-0652HIGH

Confd log files contain local users', including root’s, SHA512crypt password hashes with insecure access permissions. This allows a local attacker to attempt off-line brute-force attacks against these password hashes in Sophos UTM before version 9.710.

22 Mar 2022
7.8
CVSS
CVE-2022-0386HIGH

A post-auth SQL injection vulnerability in the Mail Manager potentially allows an authenticated attacker to execute code in Sophos UTM before version 9.710.

22 Mar 2022
8.8
CVSS
CVE-2021-36809MEDIUM

A local attacker can overwrite arbitrary files on the system with VPN client logs using administrator privileges, potentially resulting in a denial of service and data loss, in all versions of Sophos SSL VPN client.

8 Mar 2022
6.0
CVSS
CVE-2021-36807HIGH

An authenticated user could potentially execute code via an SQLi vulnerability in the user portal of SG UTM before version 9.708 MR8.

26 Nov 2021
8.8
CVSS
CVE-2021-25269MEDIUM

A local administrator could prevent the HMPA service from starting despite tamper protection using an unquoted service path vulnerability in the HMPA component of Sophos Intercept X Advanced and Sophos Intercept X Advanced for Server before version 2.0.23, as well as Sophos Exploit Prevention before version 3.8.3.

26 Nov 2021
4.4
CVSS
CVE-2020-12271KEVCRITICALin the wild

A SQL injection issue was found in SFOS 17.0, 17.1, 17.5, and 18.0 before 2020-04-25 on Sophos XG Firewall devices, as exploited in the wild in April 2020. This affected devices configured with either the administration (HTTPS) service or the User Portal exposed on the WAN zone. A successful attack may have caused remote code execution that exfiltrated usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access (but not external Active Directory or LDAP passwords)

3 Nov 2021
9.8
CVSS
CVE-2021-36808HIGH

A local attacker could bypass the app password using a race condition in Sophos Secure Workspace for Android before version 9.7.3115.

30 Oct 2021
7.0
CVSS
CVE-2021-25271MEDIUM

A local attacker could read or write arbitrary files with administrator privileges in HitmanPro before version Build 318.

8 Oct 2021
6.0
CVSS
CVE-2021-25270MEDIUM

A local attacker could execute arbitrary code with administrator privileges in HitmanPro.Alert before version Build 901.

8 Oct 2021
6.7
CVSS
CVE-2021-25273MEDIUM

Stored XSS can execute as administrator in quarantined email detail view in Sophos UTM before version 9.706.

29 Jul 2021
4.8
CVSS
CVE-2021-25264MEDIUM

In multiple versions of Sophos Endpoint products for MacOS, a local attacker could execute arbitrary code with administrator privileges.

17 May 2021
6.7
CVSS
CVE-2021-25265HIGH

A malicious website could execute code remotely in Sophos Connect Client before version 2.1.

22 Mar 2021
8.8
CVSS
← PrevPage 1 / 4Next →