Voyager18 (research)

How to fix CVE-2023-1671 in Sophos Web Appliance

CVE-2023-1671 - a vulnerability in Sophos Web Appliance - has been identified and reported to the Sophos bug bounty program. Here's what you need to know.

Yair Divinsky | May 03, 2023

A pre-auth command injection vulnerability in the warn-proceed handler allowing execution of arbitrary code was discovered and responsibly disclosed to Sophos by an external security researcher via the Sophos bug bounty program.

The vulnerability was disclosed to Sophos by an external security researcher via the Sophos bug bounty program. Sophos released an advisory for download at on April 4, 2023.

What is CVE-2023-1671?

This highly critical code execution vulnerability has been found in Sophos Web Appliance. It affects an unknown function of the component called Warn-proceed Handler, allowing for the manipulation of unknown input that leads to a command injection vulnerability. The weakness was classified as CWE-77, posing a threat to the confidentiality, integrity, and availability of affected systems.

The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. This is going to have an impact on confidentiality, integrity, and availability.

The weakness was released on 04/04/2023 with an advisory shared for download at

Does it affect me?

If you are using Sophos Web Appliance, you may be at risk of a Pre-auth command injection exploit. It is crucial to address this issue immediately by applying the patch published by Sophos.

However, the good news is that SWA customers do not need to take any action, as updates are installed automatically by default. Nevertheless, Sophos recommends that the Web Appliance be protected by a firewall and not accessible via the public Internet to reduce the risk of unauthorized access and exploitation of any potential vulnerabilities.

Has CVE-2023-1671 been actively exploited in the wild?

The PoC for CVE-2023-1671, now available on Github, demonstrates how the vulnerability can be exploited, providing valuable insight for both security researchers and potential attackers. The publication of this PoC emphasizes the need for affected users to apply the patch as soon as possible to protect their systems.

Due to the vulnerability’s high-risk, the cyber security community is buzzing with the recent PoC publication, caused by a pre-auth command injection flaw in the warn-proceed handler, posing significant risks to users.

With the PoC now publicly available, it’s more important than ever for users to understand the vulnerability and take appropriate measures to safeguard their systems.

How to fix CVE-2023-1671

To address CVE-2023-1671, the company has released SWA to address these issues. According to the Sophos security advisory, none of the flaws addressed in this advisory were publicly disclosed or found to be exploited in the wild

As mentioned before, Sophos recommends adding an extra layer of security by protecting the Web Appliance with a firewall and ensuring it is not accessible via the public internet. An additional layer of security further reduces the risk of unauthorized access and exploitation of any potential vulnerabilities. 

The patch provided by Sophos addresses the vulnerability in the /opt/ws/bin/ftsblistpack Perl script. The patch alters the invocation of the system function, preventing the shell from being invoked by modifying the invocation of the system function to prevent the shell from being invoked, effectively preventing attackers from exploiting the vulnerability. This change effectively stops attackers from exploiting the vulnerability, as seen in the comparison between unpatched and patched code: The comparison reveals /opt/ui/apache/htdocs/controllers/UsrBlocked.php shells out to ftsblistpack with user-supplied parameters. In the unpatched code, user-controlled input goes through PHP’s escapeshellarg function, which adds single quotes to a shell argument, leaving the system vulnerable to exploitation.

Notably, user-controlled input still goes through PHP’s escapeshellarg function in the unpatched code. This function escapes and adds single quotes to a shell argument, which plays a vital role in the vulnerability’s exploitation.

Next steps

Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors:

  1. VulnRX – cyber risk and threat database
  2. Q1 2023 Vulnerability watch report
  3. MITRE ATTACK framework – Mapping techniques to CVEs 
  4. Exploit maturity: an introduction 
  5. OWASP Top 10 vulnerabilities 2022: what we learned

And finally…

Don’t get found out by new vulnerabilities. Vulcan Cyber gives you full visibility and oversight of your threat environment and lets you prioritize, remediate and communicate your cyber risk across your entire organization. Get a demo today.

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy