A Critical Vulnerability Leads to Remote Code Execution in Sophos Firewall — CVE-2022–1040


In March 2022, Sophos fixed a critical vulnerability in its Sophos Firewall products. The vulnerability is tracked as CVE-2022–1040 and allows for remote code execution (RCE). An authentication bypass vulnerability allowing remote code execution was discovered in the User Portal and Webadmin of Sophos Firewall and responsibly disclosed to Sophos. It was reported via the Sophos bug bounty program by an external security researcher. The vulnerability has been fixed.

The vulnerability has a CVSS rating of 9.8 and is critical in severity. Although the flaw was patched in March by Sophos, Shadow Server, a resource for internet security reporting, observed an uptick of scans testing for the vulnerability. According to Shadow Server, a proof of concept (POC) was published on May 9, 2022, and is currently being used.


Sophos stated that there is no action required for customers with the “Allow automatic installation of hotfixes” feature enabled because “enabled” is the default setting. However, if this feature is not enabled, organizations need to manually patch. So far, the vulnerability has been used to target organizations in the South Asia region, but any organization that has older versions or end-of-life products may need to update manually.

Sophos further stated that customers who need a workaround for CVE-2022–1040 should secure their User Portal Webadmin interfaces — making sure they are not exposed to WAN. Follow the device access best practices to disable WAN access to the User Portal and Webadmin.

Sophos has observed this vulnerability being used to target a small set of specific organizations primarily in the South Asia region. We have informed each of these organizations directly. Sophos will provide further details as we continue to investigate.

Applies to the following Sophos product(s) and version(s)

Sophos Firewall v18.5 MR3 (18.5.3) and older

  • Customers can protect themselves from external attackers by ensuring their User Portal and Webadmin are not exposed to WAN.
  • Disable WAN access to the User Portal and Webadmin by following device access best practices and instead use VPN and/or Sophos Central for remote access and management.


  • In early 2020, Sophos fixed a zero-day SQL injection vulnerability in its XG Firewall following reports that hackers were actively exploiting it in attacks.
  • The same zero-day had also been exploited by hackers attempting to deliver Ragnarok ransomware payloads onto companies’ Windows systems.
  • Starting April 2020, threat actors behind the Asnarök trojan malware had exploited the zero-day to try and steal firewall usernames and hashed passwords from vulnerable XG Firewall instances.
  • The flaw tracked as CVE-2022–1040, is specifically an authentication-bypass vulnerability in the User Portal and Webadmin of the Sophos Firewall. It affects version 18.5 MR3 (18.5.3) and older of the appliance.
  • An exploit would give attackers control over the device, and enable them to disable the firewall, add new users, or use it as a jumping-off point for burrowing deeper into a company’s network.


  • Hotfixes for v17.0 MR10 EAL4+, v17.5 MR16 and MR17, v18.0 MR5(-1) and MR6, v18.5 MR1 and MR2, and v19.0 EAP was published on March 23, 2022
  • Hotfixes for unsupported EOL versions v17.5 MR12 through MR15, and v18.0 MR3 and MR4 were published on March 23, 2022
  • Hotfixes for unsupported EOL version v18.5 GA published on March 24, 2022
  • Hotfixes for v18.5 MR3 published on March 24, 2022
  • Hotfixes for unsupported EOL version v17.5 MR3 published on April 4, 2022
  • Fix included in v19.0 GA and v18.5 MR4 (18.5.4)

Users of older versions of Sophos Firewall are required to upgrade to receive the latest protections and this fix

Assigned CVE-2022–1040 with a 9.8 CVSS score, the vulnerability allows a remote attacker who can access the Firewall’s User Portal or Webadmin interface to bypass authentication and execute arbitrary code.

To address the flaw, Sophos released hotfixes that should, by default, reach most instances automatically. The security advisory however implies that some older versions and end-of-life products may need to be actioned manually.

It remains crucial to ensure your Sophos Firewall instances are receiving the latest security patches and hotfixes timely, given that attackers have targeted vulnerable Sophos Firewall instances in the past.

Sophos Firewall users are therefore advised to make sure their products are updated. The Sophos Support website explains how to enable automatic hotfix installation and to verify if the hotfix for CVE-2022–1040 successfully reached your product.

Once automatic hotfix installation is enabled, Sophos Firewall checks for hotfixes every thirty minutes and after any restart.

The vulnerability is the third bug for the vendor this month. Earlier in March, two others came to light, tracked as CVE-2022–0386 (a post-authentication SQL-injection issue) and CVE-2022–0652 (an insecure access permissions bug). They affected the Sophos UTM unified threat-management appliance.


Originally published at https://tutorialboy24.blogspot.com



Our mission is to get you into information security. We'll introduce you to penetration testing and Red Teaming. We cover network testing, Active Directory.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store