🔴 CVE-2020-29574

Critical SQL injection vulnerability in Cyberoam OS WebAdmin interface allows unauthenticated remote attackers to execute arbitrary SQL statements. This affects network security appliances that are typically deployed as internet-facing gateway devices.

← Back to Overview
HIGH_RISK
Risk Level
9.8
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 — Exploit Public-Facing Application
ATT&CK Technique
VERY_HIGH
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2020-12-11

Added to CISA KEV: 2025-02-06 1518 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2020-29574 is a critical SQL injection vulnerability affecting the WebAdmin interface of Cyberoam OS [2].

Exploitation and Threat Actor Usage
  • Active Exploitation: This vulnerability was actively exploited in the wild [4].
  • Threat Actor Usage: It was utilized by sophisticated, China-based threat actors in campaigns targeting publicly reachable network appliances between 2020 and 2022 [1]. These actors specifically targeted WAN-facing services to gain unauthorized access [1].
Attack Method and Requirements
  • Method: The vulnerability is an SQL injection (SQLi) flaw in the WebAdmin component of Cyberoam OS [2].
  • Requirements: It allows unauthenticated attackers to execute arbitrary SQL statements remotely [2]. No user interaction is required to trigger the exploit.
Impact and Access
  • Impact: Successful exploitation allows attackers to perform unauthorized actions, such as creating new administrative accounts on the affected device [1]. This effectively grants the attacker full control over the network appliance.
Affected Products and Mitigation
  • Affected Versions: Cyberoam OS versions through December 4, 2020 [2].
  • Patch Status: Sophos released a hotfix for all supported Cyberoam OS devices starting December 4, 2020 [3]. The hotfix was also distributed to end-of-life (EOL) versions 10.6.2 and later [3].
  • Recommendation: Users were advised to upgrade to XG Firewall v17.5 or the latest available Cyberoam OS release to ensure full protection [3].

Sources

  1. Pacific Rim: Inside the Counter-Offensive—The TTPs Used... | SOPHOS

    Cyberoam account creation attack (CVE-2020-29574), November 2020. Beginning in early 2020 and continuing through much of 2022, the adversaries spent considerable effort and resources to engage in multiple campaigns to discover and then target publicly reachable network appliances. In a rapid cadence…

  2. CVE-2020-29574 Detail - NVD

    An SQL injection vulnerability in the WebAdmin of Cyberoam OS through 2020-12-04 allows unauthenticated attackers to execute arbitrary SQL statements remotely. ... Secure .gov websites use HTTPS A lock () or https:// means you've safely connected to the .gov website. Share sensitive information only…

  3. Resolved SQLi in Cyberoam OS WebAdmin (CVE-2020-29574)

    Overview. An SQL Injection vulnerability in the WebAdmin of Cyberoam OS was recently discovered and has been patched through a hotfix. ... Hotfix distributed to all supported Cyberoam OS devices starting December 4, 2020. Hotfix also distributed to unsupported EOL Cyberoam versions 10.6.2 and later.

  4. Activity Feed | AttackerKB

    AttackerKB Worker reported CVE-2020-29574 as Exploited in the Wild.

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed