Sophos Firewall RCE Vulnerability Notice
TLDR: Verify that the hotfix has been applied to your Sophos Firewall v18.5 MR3 (18.5.3) and older.
Vulnerability Name: CVE-2022-1040
What does it do?
An authentication bypass vulnerability in the User Portal and Webadmin allows a remote attacker to execute code.
What operating systems/software versions are affected?
Sophos Firewall v18.5 MR3 (18.5.3) and older.
Why is this a concern?
This vulnerability can be used to remotely run malicious code or commands to attack and ultimately take over a server or network.
Is there a way to mitigate this?
Yes, disable WAN access to the User Portal and Webadmin by following device access best practices and instead use VPN and/or Sophos Central for remote access and management.
Are patching or update options available?
Sophos Firewall customers will receive this fix automatically if the “Allow automatic installation of hotfixes” feature is enabled. This setting is enabled by default.
Follow the instructions on this page to verify that the hotfix has been applied.
Hotfix information for specific Firewall versions:
Hotfixes for v17.0 MR10 EAL4+, v17.5 MR16 and MR17, v18.0 MR5(-1) and MR6, v18.5 MR1 and MR2, and v19.0 EAP published on March 23, 2022
Hotfixes for unsupported EOL versions v17.5 MR12 through MR15, and v18.0 MR3 and MR4 published on March 23, 2022
Hotfixes for unsupported EOL version v18.5 GA published on March 24, 2022
Hotfixes for v18.5 MR3 published on March 24, 2022
Fix included in v19.0 GA and v18.5 MR4 (18.5.4)
Users of older versions of Sophos Firewall are required to upgrade to receive the latest protections and this fix.
Where can I learn more about this vulnerability?
Review Sophos’ security advisory page for the most recent updates on this vulnerability.
If you have any questions, don’t hesitate to reach out to our Support team!