CVE-2020-15069

Summary

CVE	CVE-2020-15069
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2020-06-29 18:15:00 UTC
Updated	2020-07-16 13:20:00 UTC
Description	Sophos XG Firewall 17.x through v17.5 MR12 allows a Buffer Overflow and remote code execution via the HTTP/S Bookmarks feature for clientless access. Hotfix HF062020.1 was published for all firewalls running v17.x.

Risk And Classification

EPSS: 0.825670000 probability, percentile 0.992230000 (date 2026-04-01)

CISA KEV: Listed on 2025-02-06; due 2025-02-27; ransomware use Unknown

Problem Types: CWE-120

CISA Known Exploited Vulnerability

Vendor	Sophos
Product	XG Firewall
Name	Sophos XG Firewall Buffer Overflow Vulnerability
Required Action	Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes	https://community.sophos.com/b/security-blog/posts/advisory-buffer-overflow-vulnerability-in-user-portal ; https://nvd.nist.gov/vuln/detail/CVE-2020-15069

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Hardware	Sophos	Xg Firewall	-	All	All	All
Hardware	Sophos	Xg Firewall	-	All	All	All
Operating System	Sophos	Xg Firewall Firmware	All	All	All	All
Operating System	Sophos	Xg Firewall Firmware	17.5	-	All	All
Operating System	Sophos	Xg Firewall Firmware	17.5	maintenance_release1	All	All
Operating System	Sophos	Xg Firewall Firmware	17.5	maintenance_release10	All	All
Operating System	Sophos	Xg Firewall Firmware	17.5	maintenance_release11	All	All
Operating System	Sophos	Xg Firewall Firmware	17.5	maintenance_release12	All	All
Operating System	Sophos	Xg Firewall Firmware	17.5	maintenance_release3	All	All
Operating System	Sophos	Xg Firewall Firmware	17.5	maintenance_release4	All	All
Operating System	Sophos	Xg Firewall Firmware	17.5	maintenance_release5	All	All
Operating System	Sophos	Xg Firewall Firmware	17.5	maintenance_release6	All	All
Operating System	Sophos	Xg Firewall Firmware	17.5	maintenance_release7	All	All
Operating System	Sophos	Xg Firewall Firmware	17.5	maintenance_release8	All	All
Operating System	Sophos	Xg Firewall Firmware	17.5	maintenance_release9	All	All
Operating System	Sophos	Xg Firewall Firmware	All	All	All	All
Operating System	Sophos	Xg Firewall Firmware	17.5	-	All	All
Operating System	Sophos	Xg Firewall Firmware	17.5	maintenance_release1	All	All
Operating System	Sophos	Xg Firewall Firmware	17.5	maintenance_release10	All	All
Operating System	Sophos	Xg Firewall Firmware	17.5	maintenance_release11	All	All
Operating System	Sophos	Xg Firewall Firmware	17.5	maintenance_release12	All	All
Operating System	Sophos	Xg Firewall Firmware	17.5	maintenance_release3	All	All
Operating System	Sophos	Xg Firewall Firmware	17.5	maintenance_release4	All	All
Operating System	Sophos	Xg Firewall Firmware	17.5	maintenance_release5	All	All
Operating System	Sophos	Xg Firewall Firmware	17.5	maintenance_release6	All	All
Operating System	Sophos	Xg Firewall Firmware	17.5	maintenance_release7	All	All
Operating System	Sophos	Xg Firewall Firmware	17.5	maintenance_release8	All	All
Operating System	Sophos	Xg Firewall Firmware	17.5	maintenance_release9	All	All

References

Reference	Source	Link	Tags
Advisory: Buffer overflow in XG Firewall v17.x User Portal - Community Security Blog - Sophos Community - Sophos Community	CONFIRM	community.sophos.com	Mitigation, Vendor Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis
CISA Known Exploited Vulnerabilities catalog	CISA	www.cisa.gov	kev

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.