A critical security vulnerability in Sophos Firewall was just disclosed.
CVE-2022-1040 Sophos Firewall Vulnerability
Tracked as CVE-2022-1040, the vulnerability is an authentication bypass in the User Portal and webadmin that could allow attackers to perform remote code execution attacks. Affected is Sophos Firewall version v18.5 MR3 and older.
According to the company’s advisory, the vulnerability has been reported via the Sophos bug bounty program by an external researcher. Fortunately, CVE-2022-1040 has been fixed, and a patch is available.
What should you do, if affected? As a Sophos Firewall customer, you are not required to perform any action, as long as the “Allow automatic installation of hotfixes” is enabled. This is the default setting.
It should be noted that the vulnerability has been used to target a small number of organizations primarily in the South Asia region. The organizations have been directly contacted by the company, with the promise to investigate further and provide more details when available.
As an additional workaround, customers can ensure that their User Portal and Webadmin are not exposed to WAN.