Sophos Firewall Remote Code Execution Vulnerability (CVE-2022-1040)

Sophos has released an update to address a critical authentication bypass vulnerability (CVE-2022-1040) in Sophos Firewall. Successful exploitation of this vulnerability can lead to remote code execution. The vulnerability exists in the User Portal and Webadmin of Sophos Firewall.
A remote attacker who gains access to the Firewall’s User Portal or the Webadmin interface can bypass authentication and run arbitrary code.  
Sophos released hotfixes that should, by default, reach most instances automatically. “There is no action required for Sophos Firewall customers with the ‘Allow automatic installation of hotfixes’ feature enabled. Enabled is the default setting,” explains Sophos in its security advisory.  
Sophos also fixed two ‘High’ severity vulnerabilities (CVE-2022-0386 and CVE-2022-0652) affecting its Unified Threat Management (UTM) appliances earlier this week. 

Affected versions  
Sophos Firewall v18.5 MR3 (18.5.3) and older versions are affected by this vulnerability. 

  • Fix included in v19.0 GA and v18.5 MR4 (18.5.4) 
  • Hotfixes for v18.5 MR3 published on March 24, 2022 
  • Hotfixes for unsupported EOL version v18.5 GA published on March 24, 2022 
  • Users of older versions of Sophos Firewall are required to upgrade to receive the latest protections and this fix 
  • Hotfixes for unsupported EOL versions v17.5 MR12 through MR15, and v18.0 MR3 and MR4 were published on March 23, 2022 
  • Hotfixes for v17.0 MR10 EAL4+, v17.5 MR16 and MR17, v18.0 MR5(-1) and MR6, v18.5 MR1 and MR2, and v19.0 EAP was published on March 23, 2022 

For more information, please refer to the Sophos Firewall security advisory 
Qualys Detection  
Qualys customers can scan their devices with QID 730411 to detect vulnerable assets.  
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.  

Leave a Reply

Your email address will not be published. Required fields are marked *