Sophos Ltd — 4 prefixes (MA-L)

Sophos Ltd holds exactly four MA-L (MAC Address Large, the 24-bit block formerly called OUI) assignments — 00:1A:8C, 7C:5A:1C, A8:91:62, and C8:4F:86 — all registered to the same address: The Pentagon, Abingdon, Oxfordshire, GB OX14 3YP. No MA-M or MA-S sub-blocks were found. Sophos is a UK-headquartered cybersecurity vendor founded in 1985 by Jan Hruska and Peter Lammer, and these prefixes appear on network-security hardware rather than consumer endpoints: next-generation firewall appliances (the XGS Series in desktop, 1U, and 2U form factors), Sophos Switch units, AP-series wireless access points, and SD-RED remote edge devices. Because all four are MA-L (large-block) allocations covering multiple product lines, the device type behind an individual prefix cannot be resolved from public sources — the company manufactures several hardware categories under these blocks. The practical reading for network work: a Sophos OUI on a globally-administered address indicates a security appliance on the segment, not an end-user device. That matters for threat intelligence, because Sophos firewall appliances have been high-value targets. The October 2024 "Pacific Rim" disclosure detailed a multi-year campaign by China-linked actors (APT31, APT41, Volt Typhoon) against Sophos perimeter devices, including the in-the-wild zero-day CVE-2022-1040; later critical RCE/SQL-injection flaws (CVE-2024-12727/12728/12729, December 2024; CVE-2025-6704 and CVE-2025-7624, July 2025) reinforce that a Sophos prefix in a scan is a prompt to check patch status, not a benign signal.

IEEE assignment

4 prefixes → Sophos Ltd, registered The Pentagon, Abingdon, Oxfordshire, GB OX14 3YP [Confirmed] — IEEE MA-L (oui.csv lines 115, 17537, 28465, 33964); corroborated by netify.ai MAC brand listing

Registry / block size

MA-L (24-bit OUI); holds 4 IEEE prefixes [Confirmed] — IEEE oui.csv (registry-class field). NOTE: IEEE's public OUI data publishes NO assignment/registration date (oui.csv columns are only Registry, Assignment, Organization Name, Organization Address); any "date registered" on third-party tools is a database artifact, not an IEEE fact.

HQ / country

The Pentagon, Abingdon, Oxfordshire, GB OX14 3YP (registry address) — GB (United Kingdom) [Confirmed] — IEEE MA-L; company HQ in Abingdon, England corroborated by Wikipedia

Company status

active [Confirmed] — sophos.com/en-us/company

Company founded

1985, by Jan Hruska and Peter Lammer [Confirmed] — en.wikipedia.org/wiki/Sophos

Device types

next-gen firewall appliances (XGS Series desktop/1U/2U), Sophos Switch, AP6/AP100-series wireless access points, SD-RED edge devices [Confirmed] — netify.ai MAC brand listing, sophos.com next-gen-firewall product pages

Verified prefixes (all MA-L, Sophos Ltd)

00:1A:8C, 7C:5A:1C, A8:91:62, C8:4F:86 [Confirmed] — IEEE oui.csv. Per-prefix device-type mapping is NOT resolvable from public sources [Unknown] — no public IEEE vendor-to-device mapping; netify.ai resolves only to company level

No MA-M / MA-S sub-blocks

none found in mam.csv or oui36.csv [Confirmed] — IEEE registry files (no matches)

Registration date

Unknown — IEEE publishes no OUI registration dates; any third-party "date registered" value is a database artifact, not an IEEE-sourced fact [Unknown] — en.wikipedia.org/wiki/Organizationally_unique_identifier

Usage context

enterprise and SMB network-security perimeter devices (firewalls, UTM appliances, wireless APs, edge switches) running Sophos Firewall OS (SFOS). XG Series reached end-of-life 31 March 2025; current generation is XGS Series (1st/2nd Gen). [Confirmed] — sophos.com/en-us/products/next-gen-firewall, sophos.com/en-us/company

Security context

Sophos firewall appliances are high-value APT targets. "Pacific Rim" (Oct 2024) documented a multi-year China-linked campaign (APT31/APT41/Volt Typhoon) exploiting perimeter devices, incl. in-the-wild zero-day CVE-2022-1040. Critical CVEs patched Dec 2024 (CVE-2024-12727 SQLi CVSS 9.8, CVE-2024-12728 weak SSH creds CVSS 9.8, CVE-2024-12729 post-auth code injection CVSS 8.8) and Jul 2025 (CVE-2025-6704, CVE-2025-7624, both pre-auth RCE CVSS 9.8). [Confirmed] — sophos.com/en-us/content/pacific-rim, sophos.com security advisories, thehackernews.com

Related vendors

none identified

Analyst note

A Sophos OUI on a globally-administered address indicates a security appliance (firewall, AP, or switch), not an end-user endpoint. Treat its presence in threat-intel context as a prompt to verify the device's CVE/patch status; a spoofed Sophos OUI could mimic a legitimate appliance identity.