---
licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0)
licence_link: https://creativecommons.org/licenses/by/4.0/
licence_restrictions: https://cert.europa.eu/legal-notice
licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies
title: 'Critical Vulnerability in Sophos Mobile and Sophos Mobile Control'
version: '1.0'
number: '2018-010'
date: 'April 9, 2018'
---

_History:_

* _09/04/2018 --- v1.0 -- Initial publication_

# Summary

On 26th of March 2018, Sophos released a security advisory concerning **Sophos Mobile** and **Sophos Mobile Control** [1, 2]. This critical vulnerability could allow an unauthenticated user to access the administration console or the self-service portal of Sophos Mobile.

# Technical Details

There is not much details from Sophos available outside of the fact that a successful exploitation of the vulnerability could allow an attacker to bypass authentication to the administration panel of the portal, and that no attacks have been observed at the time of this writing.

# Products Affected

All version of **Sophos Mobile** and **Sophos Mobile Control** prior to `8.0.7` are affected by the vulnerability.

# Recommendations

For all version higher than `6.0`, the patch is available on the **Sophos License Portal**.

For version `5.1` and earlier, Sophos provides instructions how to upgrade to an up-to-date version [3].

## Workarounds

There are no known workarounds that address this vulnerability.

# References

[1] <http://app.go.sophos.com/e/es?s=1777052651&e=250342&elq=03365c36a00a448499140d48c8896a16>

[2] <https://community.sophos.com/kb/en-us/131867>

[3] <https://community.sophos.com/kb/en-us/128031>