What happened

CISA added CVE-2020-29574 to the Known Exploited Vulnerabilities (KEV) catalog on 2025-02-06, signaling confirmed in-the-wild exploitation CISA KEV catalog. The entry covers Sophos CyberoamOS (CROS) and describes a pre-authentication SQL injection in the WebAdmin interface that allows remote execution of arbitrary SQL statements NVD detail. CISA’s required action states the impacted product is end-of-life/end-of-service (EoL/EoS) and organizations should discontinue use; CISA set a due date of 2025-02-27 for remediation tracking CISA KEV catalog. The weakness maps to CWE-89 (improper neutralization of special elements in an SQL command) NVD entry. See also the canonical record for cross-reference MITRE CVE.

CISA lists ransomware campaign use as unknown for this entry, but inclusion in KEV independently indicates observed exploitation activity CISA KEV.

Why it matters

A pre-auth SQL injection against a device’s administrative plane is a direct path to manipulating the system’s backing data store. Executing arbitrary SQL typically enables data exfiltration, modification, or disruption of database-backed operations—impacts consistent with CWE-89’s confidentiality, integrity, and availability concerns NVD CVE-2020-29574. Because the vulnerable surface is the WebAdmin, any reachable exposure to untrusted networks becomes a high-likelihood initial access vector. KEV inclusion elevates prioritization: CISA only adds vulnerabilities known to be exploited in the wild, which moves this out of “theoretical” and into “active risk” territory CISA KEV catalog.

Compounding risk: the affected product line is EoL/EoS, and CISA explicitly instructs discontinuation rather than patching—implying no vendor fix path exists CISA KEV. That makes compensating controls and accelerated decommissioning the only durable options.

Technical detail

Per the public records, CVE-2020-29574 is a SQL injection flaw in the CyberoamOS WebAdmin that can be triggered without authentication, allowing an attacker to run arbitrary SQL statements on the backend NVD entry. The vulnerability is categorized under CWE-89 (SQL Injection), indicating improper input handling leading to attacker-controlled query semantics NVD CWE mapping. In practical terms, an attacker sending crafted parameters to the administrative interface can influence database queries executed by the appliance’s management components.

Two properties drive exploitability:

• Pre-authentication exposure: no valid session or credentials required to trigger the SQLi NVD CVE-2020-29574.
• Remote reachability: exploitation occurs over the network against the WebAdmin surface NVD entry.

Given the CWE class, feasible attacker actions include enumerating schema, reading sensitive rows, inserting/modifying records, or issuing destructive statements that disrupt control-plane operations—canonical outcomes of arbitrary SQL execution NVD CWE reference. The KEV note clarifies the product is EoL/EoS and directs organizations to discontinue utilization, underscoring the absence of a supported remediation path CISA KEV. The MITRE record is consistent with these details and preserves the authoritative CVE metadata MITRE CVE.

Defense

Immediate priorities:

• Remove from service: CISA’s required action is explicit—discontinue utilization of the affected CyberoamOS product line CISA KEV.
• Replace with a supported platform. Where replacement cannot be instant, apply strict compensating controls:

- Physically and logically isolate the WebAdmin from untrusted networks; allow access only from a dedicated management enclave or over a VPN with MFA.

- Enforce deny-by-default ACLs to the administrative interface; no internet exposure.

- Monitor for spikes or anomalies in HTTP requests to the WebAdmin path, especially parameter-heavy requests consistent with SQLi probing.

- Instrument network detection for common SQLi signatures and time-based probing patterns against the device’s management endpoint.

Assume-breach actions if exposure existed:

• Review device configuration integrity and audit logs for unauthorized administrative changes or unexplained service disruptions. Because arbitrary SQL execution can alter or read database content, treat any anomaly as potential compromise NVD CVE-2020-29574.
• Rotate credentials stored or managed adjacent to the device if there is any possibility they were referenced by database-backed components.

Governance and deadlines:

• Track to CISA’s stated due date of 2025-02-27 for federal programs, using decommission evidence as the remediation artifact CISA KEV.

Lyrie Verdict

Pre-auth SQL injection on an admin plane is prime territory for autonomous exploitation by commodity bots and offensive LLM-agents chaining payload generators to mass-scan and iterate payloads. There is no patch runway here—CISA’s directive is to pull the gear CISA KEV. Defense has to run at machine speed.

Lyrie pairs protocol-aware detectors with behavior models tuned for management surfaces. For this class of issue, we continuously:

• Correlate inbound WebAdmin transactions with SQLi grammar features and timing artifacts to flag pre-auth injection attempts in real time.
• Cross-check device-side state transitions (admin session creation, config write attempts) immediately after suspicious requests to confirm exploit success patterns.
• Auto-segment the asset from untrusted networks and kill active sessions the moment pre-auth injection indicators exceed threshold, buying time to decommission.

Bottom line: legacy, EoL perimeter gear with pre-auth SQLi is not survivable on the open network. Autonomous detection and instantaneous containment are the only practical controls until the box is gone. Lyrie executes that containment at machine speed, specifically on administrative paths where human reaction time loses the race.