Skip to main content
  1. Security/

Sophos Central Privilege Escalation

·1 min· loading · loading ·
Sophos Bug Bounty Sophos Sophos Central Sophos Privilege Escalation
Christian Angel
Christian Angel

Sophos Central is a single cloud management solution for all your Sophos next-gen technologies: endpoint, server, mobile, firewall, ZTNA, email, and so much more. With a unified management console, real-time information sharing between products, and automated incident response, Sophos Central makes cybersecurity easier and more effective.

The ssoAuthToken was inadvertently exposed in Sophos Central and is visible to lower privileged users, This token along with the serial number can be used to access the Admin Console of the XG Firewall.


During my research I spotted 5 domains which can be used to access the Admin Console of XG Firewall. I was able to Identify the correct domain by sending GET request to /api/v1/reverse-proxy with basic authentication header of SerialNumber:ssoAuthToken to the domains’s below.


If one of those URL’s sent a response similar to what we have below, Oh boy you got it.


In this case ours is at

Using the domain we got, We can now finally access the Admin Console Using the Request Below.

GET /webconsole/CentralFirewall?serial_number=C69420F4GGVD1&mode=6000&role=Super%20Administrator&page=ControlCenter&language=en-us&at=&flc=1 HTTP/1.1
Connection: close
Upgrade-Insecure-Requests: 1
Cookie: zero.session.hammer-token=undefined; zero.session.region=amzn-us-west-2; proxy.serialnumber=C69420F4GGVD1; proxy.sso-token=9d09c0b297c92c876a3ea03b81c1acb5692ad8dc81b6d2f1c70d88120ef6bb96;
Content-Length: 2

This will redirect us to the Admin Console of XG Firewall with Super Administrator Permission using a read-only user on Sophos Central.