CVE-2016-9553 Sophos CVE debrief

Who should care

Administrators and security teams responsible for Sophos Web Appliance deployments, especially systems still running version 4.2.1.3 or exposing the administrative interface more broadly than necessary.

Technical summary

NVD lists the vulnerable CPE as sophos:web_appliance:4.2.1.3 and classifies the weakness as CWE-77. The issue is described as improper escaping of data passed via blockip and unblockip in /controllers/MgrReport.php before shell_exec() is called, allowing command injection through the administrative IP block/unblock workflow. The published CVSS 3.0 vector is AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating high impact but requiring high privileges.

Defensive priority

High. The vulnerability is in an admin-facing component and can lead to command execution with high confidentiality, integrity, and availability impact if abused.

Recommended defensive actions

• Follow Sophos's remediation guidance in the SWA 4.3.1 release notes and upgrade vulnerable 4.2.1.3 deployments.
• Restrict access to the appliance's administrative interface to trusted management networks only.
• Review administrative activity and shell-related logs for signs of unauthorized command execution or suspicious IP block/unblock actions.
• If the appliance may have been exposed, investigate for unauthorized configuration changes or other indicators of compromise.

Evidence notes

Source description states that Sophos Web Appliance 4.2.1.3 is vulnerable to two remote command injection issues in MgrReport.php (/controllers/MgrReport.php) involving the blockip and unblockip variables before shell_exec() is called. NVD provides the affected CPE, CVSS v3.0 vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, and CWE-77. The supplied corpus also cites Sophos release notes and a third-party advisory, along with an exploit reference URL, but this debrief excludes exploit details.

Official resources