A critical vulnerability patched recently by Sophos in its Cyberoam firewall appliances allows a remote, unauthenticated attacker to execute arbitrary commands with root privileges.