What happened

CISA added CVE-2020-15069 to the Known Exploited Vulnerabilities (KEV) catalog on 2025-02-06, with a remediation due date of 2025-02-27 and a required action to apply vendor mitigations or discontinue use if unavailable (CISA KEV). The entry identifies Sophos XG Firewall as affected and describes a buffer overflow that enables remote code execution via the "HTTP/S bookmark" feature (CISA KEV). The vulnerability maps to CWE-120 (Classic Buffer Overflow) in public CVE metadata (NVD CVE-2020-15069). Presence in KEV indicates confirmed exploitation in the wild and demands prioritized remediation by impacted organizations (CISA KEV).

Why it matters

Remote code execution on a security appliance represents high operational risk because attackers can execute arbitrary code on the target device (NVD CVE-2020-15069). CISA’s decision to list the issue in KEV means exploitation has been observed and agencies are expected to remediate on a short timeline (CISA KEV). The CVE is formally recorded and tracked by the CNA program, ensuring consistent identifier usage across tooling and advisories (MITRE CVE-2020-15069).

Technical detail

Per the KEV entry, the flaw is a buffer overflow in Sophos XG Firewall’s "HTTP/S bookmark" feature that can be triggered remotely to achieve code execution (CISA KEV). The weakness aligns to CWE-120 (Classic Buffer Overflow), a memory-corruption class where input overruns a buffer due to insufficient bounds checking (NVD CVE-2020-15069). The identifier, product, and high-level description are corroborated by the authoritative CVE record maintained under the CVE Program (MITRE CVE-2020-15069). As a KEV-listed RCE in a firewall platform, the operational impact of successful exploitation is severe, warranting immediate patching and verification (CISA KEV).

Defense

Follow CISA’s required action: apply mitigations per the vendor or discontinue use of the product if mitigations are unavailable, no later than 2025-02-27 (CISA KEV). Validate remediation by ensuring your vulnerability management sources reflect closure for CVE-2020-15069 using the canonical CVE data as reference (NVD CVE-2020-15069; MITRE CVE-2020-15069). Prioritize inventory and remediation workflows wherever Sophos XG Firewall is present, aligning your backlog with the KEV due date and required action to minimize exposure during active exploitation windows (CISA KEV). Continue to track KEV updates to capture any new guidance or changes to remediation expectations for this CVE (CISA KEV).

Lyrie Verdict

This is an active-exploitation firewall RCE, now elevated by CISA’s KEV, which requires machine-speed response rather than ticket-speed triage (CISA KEV). Lyrie auto-ingests KEV updates and immediately prioritizes any asset profiling as Sophos XG Firewall for accelerated containment and validation workflows tied to CVE-2020-15069 (CISA KEV). We correlate CVE metadata from NVD and MITRE to programmatically expand detection and policy coverage for this CWE-120 memory-corruption class across relevant controls without human wait states (NVD CVE-2020-15069; MITRE CVE-2020-15069). Net: we treat this KEV listing as an active kill-chain input and move to autonomous detection and containment for RCE attempts against identified Sophos XG surfaces at machine speed, ahead of manual patch cadence (CISA KEV).