Critical Vulnerability in Sophos Firewall

Published on 28 Mar 2022

Updated on 28 Mar 2022

Sophos has released hotfixes for a critical vulnerability (CVE-2022-1040) in their Firewall product. 

The vulnerability affects Sophos Firewall v18.5 MR3 (18.5.3) and older. The authentication bypass vulnerability resides in the User Portal and Webadmin of the firewall. Successful exploitation of the vulnerability may allow an attacker to perform remote code execution.

Administrators and users of affected versions are advised to ensure that the relevant hotfixes are applied immediately. Hotfixes are also available for end-of-life (EOL) versions of the Sophos Firewall. 

Manual patching is not required if the "Allow automatic installation of hotfixes" feature is enabled (default setting) in the firewall settings.

To verify if the latest hotfixes have been applied, please refer to the following link: https://support.sophos.com/support/s/article/KB-000043853

Administrators and users of affected versions who are not able to apply the relevant hotfixes immediately can protect themselves by ensuring that the User Portal and Webadmin are not exposed to the Wide Area Network (WAN). Instead, VPN and/or Sophos Central should be used for remote access and management.

More information is available here: 

https://www.sophos.com/en-us/security-advisories/sophos-sa-20220325-sfos-rce

https://nvd.nist.gov/vuln/detail/CVE-2022-1040