A remote code execution vulnerability in Sophos Connect Client version 2.0 for Windows was recently discovered and responsibly disclosed to Sophos. It was reported via the Sophos bug bounty program by an external security researcher. The vulnerability has been fixed in version 2.1.
Sophos would like to thank Kim Karlsson for responsibly disclosing this issue to Sophos.
The remediation prevented malicious websites from remotely executing arbitrary code. There was no evidence that the vulnerability was exploited and to our knowledge no customers are impacted.
Individual users can download SophosConnect_2.1_(IPsec_and_SSLVPN).msi using this link: https://www.sophos.com/Pages/DownloadRedirect.aspx?downloadKey=6AF9884A-8B35-4E3E-8DE0-36C7063293DE.