Critical Sophos Firewall Vulnerability Allows Remote Code Execution


Sophos has fixed a critical vulnerability in its Sophos Firewall product that allows remote code execution (RCE).

Tracked as CVE-2022-1040, the authentication bypass vulnerability exists in the User Portal and Webadmin areas of Sophos Firewall.

RCE bug in web management console

On Friday, Sophos disclosed a critical remote code execution vulnerability affecting Sophos Firewall versions 18.5 MR3 (18.5.3) and earlier for which the company has released hotfixes.

CVE-2022-1040 has a CVSS score of 9.8 and allows a remote attacker accessing the firewall user portal or Webadmin interface to bypass authentication and execute arbitrary code.

The vulnerability was responsibly reported to Sophos by an unnamed third-party security researcher through the company’s bug bounty program.

To address the bug, Sophos has released hotfixes that should reach most instances automatically by default.

“No action is required for Sophos Firewall customers with the ‘Allow automatic hotfix installation’ feature enabled. Enabled is the default setting,” explains Sophos in the security advisory.

However, the security advisory implies that some older versions and products must be run manually at the end of their useful life.

As a general solution to the vulnerability, the company advises customers to secure their user portal and Webadmin interfaces:

“Customers can protect themselves from external attackers by ensuring that their user portal and Webadmin are not exposed to WAN,” the advisory reads.

“Disable WAN access to the User Portal and Webadmin by following device access best practices and instead use VPN and/or Sophos Central for remote access and management.”

Earlier this week, Sophos also resolved two “high” vulnerabilities (CVE-2022-0386 and CVE-2022-0652) affecting Sophos Unified Threat Management (UTM) appliances.

Sophos Firewall bugs previously exploited by attackers

It remains critical to ensure that your Sophos Firewall instances receive the latest security patches and hotfixes in a timely manner, as attackers have historically targeted vulnerable Sophos Firewall instances.

In early 2020, Sophos patched a zero-day SQL injection vulnerability in its XG Firewall after reports that hackers were actively exploiting it in attacks.

As of April 2020, threat actors behind the Asnarök trojan malware had exploited the zero-day to attempt to steal firewall usernames and hashed passwords from vulnerable XG Firewall instances.

That same zero-day was also exploited by hackers attempting to deliver Ragnarok ransomware payloads onto corporate Windows systems.

Sophos Firewall users are therefore advised to ensure that their products are updated. The Sophos Support website explains how to enable automatic hotfix installation and verify that the hotfix for CVE-2022-1040 has reached your product.

Once automatic hotfix installation is enabled, Sophos Firewall checks for hotfixes every 30 minutes and after each reboot.

This post Critical Sophos Firewall Vulnerability Allows Remote Code Execution

was original published at “”