The agency has identified a critical flaw in Sophos products, CVE-2023-1671, which has been exploited by attackers allowing arbitrary code execution. Sophos released patches in April and informed customers that the affected appliance would reach its end of life on July 20, 2023.
Although no public reports have described attacks exploiting CVE-2023-1671, Sophos was unable to provide clarifications to SecurityWeek at the time of publication.
Sophos product vulnerabilities are frequently targeted by threat actors. Some attacks, attributed to a Chinese APT group, have targeted government and other organizations in South Asia. CISA’s Known Exploited Vulnerabilities (KEV) list currently includes four other vulnerabilities in Sophos products discovered in 2020 and 2022.
Another vulnerability added to the KEV list, CVE-2020-2551, affects Oracle WebLogic Server, allowing unauthenticated attackers to seize control of affected servers. This vulnerability was one of four targeted for initial compromise by a Chinese threat actor, according to a blog post by EclecticIQ.
Additionally, CVE-2023-36584 has been added to CISA’s KEV catalog, enabling attackers to bypass the Mark of the Web (MotW) security feature in Windows. Although Palo Alto Networks discovered this flaw during an analysis of attacks by a Russia-linked APT, exploitation details are not clear.
Sophos has released a statement acknowledging the patch released in April 2023 for all Sophos Web Appliances and recommending users upgrade to Sophos Firewall for optimal security.
Palo Alto Networks confirmed that they have not observed exploitation of the new MotW bypass vulnerability, CVE-2023-36584, and clarified its discovery process and communication with Microsoft regarding the vulnerability.