CVE-2018-16118

Name of the Vulnerable Software and Affected Versions Sophos XG firewall version 17.0.8 MR-8

Description A shell escape issue in the API Configuration component allows remote attackers to execute arbitrary OS commands. This is achieved by injecting shell metacharacters into the X-Forwarded-for HTTP header in the /webconsole/APIController API endpoint.

Recommendations For Sophos XG firewall version 17.0.8 MR-8, consider restricting access to the /webconsole/APIController API endpoint until a patch is available. As a temporary workaround, avoid using the X-Forwarded-for HTTP header in this endpoint to minimize the risk of exploitation.