CVE-2016-9554 Sophos CVE debrief

Who should care

Administrators and security teams responsible for Sophos Web Appliance / Secure Web Gateway deployments, especially any environment that still runs version 4.2.1.3 or exposes the web administration interface. Because the flaw sits in an administrative workflow, access control, patch status, and log review are all important.

Technical summary

The supplied CVE and NVD metadata describe a network-reachable command injection (CWE-77) in /controllers/MgrDiagnosticTools.php. Diagnostic testing logic that uses the UNIX wget utility accepts user-controlled url input and forwards it to executeCommand/exec() without adequate escaping. The NVD vector lists CVSS 3.0 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H with a 7.2 High score, indicating that exploitation requires high privileges but can still lead to high impact. The vulnerable path is accessed via section=configuration, and the description states that successful exploitation can provide shell access under the spiderman account.

Defensive priority

High — remote command injection in an admin-facing path can provide shell access and broad confidentiality, integrity, and availability impact, even though high privileges are required.

Recommended defensive actions

• Identify any Sophos Web Appliance / Secure Web Gateway systems that match the affected 4.2.1.3 version cited in the corpus.
• Review the Sophos release notes reference in the corpus and apply the vendor remediation or upgrade path for the affected appliance.
• Restrict access to the web administrative interface to trusted management networks and authorized accounts only.
• Review authentication and request logs for administrative access to section=configuration and for unusual diagnostic or wget-related activity.
• Investigate any signs of shell access or unexpected activity associated with the spiderman account.
• If command-injection exposure is confirmed and integrity cannot be trusted, rebuild or reimage the affected appliance before returning it to service.

Evidence notes

All substantive claims here are grounded in the supplied CVE description and NVD metadata: the flaw is described as remote command injection in Sophos Web Appliance 4.2.1.3, the weak point is MgrDiagnosticTools.php, unsanitized url input reaches exec(), the vulnerable entry point is section=configuration, and the described result is shell access under the spiderman user. NVD classifies the issue as CWE-77 and publishes CVSS 3.0 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (7.2 High). The corpus also cites a Sophos release notes page and a third-party advisory entry; those are noted as references only, without adding unsupported remediation details.

Official resources