Sophos Firewall RCE vulnerability actively exploited

Threat Advisories

Sophos Firewall RCE vulnerability actively exploited


For a detailed advisory, download the pdf file here

A security researcher has discovered an authentication bypass vulnerability that resides in the User Portal and Webadmin areas of Sophos Firewall. Attackers are actively exploiting this vulnerability to attack enterprises in South Asia.

The vulnerability, tracked as CVE-2022-1040, allows a remote attacker with access to the Firewall’s User Portal or Webadmin user to circumvent authentication and execute arbitrary code.

Sophos published hotfixes to address this vulnerability, which has been automatically deployed to all susceptible devices because the ‘Allow automatic installation of hotfixes’ functionality that is activated by default. However, hotfixes published for end-of-life Sophos Firewall versions must be manually upgraded in order to address the security issue and defend against ongoing assaults. Customers can also defend themselves from external attackers by not exposing their User Portal and Webadmin to the WAN.

Potential MITRE ATT&CK TTPs are:

TA0042: Resource Development

TA0006: Credential Access

TA0007: Discovery

TA0001: Initial Access

TA0004: Privilege Escalation

TA0005: Defense Evasion

T1588: Obtain Capabilities

T1588.006: Obtain Capabilities: Vulnerabilities

T1190: Exploit Public-Facing Application

T1040: Network Sniffing

T1548: Abuse Elevation Control Mechanism

Vulnerability Details