Critical Sophos Security Bug Allows RCE on Firewalls

The security vendor’s appliance suffers from an authentication-bypass issue.

Cybersecurity stalwart Sophos has plugged a critical vulnerability in its firewall product, which could allow remote code-execution.

The flaw, tracked as CVE-2022-1040, is specifically an authentication-bypass vulnerability in the User Portal and Webadmin of the Sophos Firewall. It affects version 18.5 MR3 (18.5.3) and older of the appliance.

Infosec Insiders Newsletter

An exploit would give attackers control over the device, and enable them to disable the firewall, add new users, or use it as a jumping-off point for burrowing deeper into a company’s network.

Sophos did not provide technical details or a CVSS score for the bug, but listed it as “critical.”

The company pushed out a hotfix, but those without automatic updates enabled will need to manually update their appliances. There’s also a workaround, according to the company’s security advisory:

“Customers can protect themselves from external attackers by ensuring their User Portal and Webadmin are not exposed to WAN,” according to Sophos. “Disable WAN access to the User Portal and Webadmin by following device access best practices and instead use VPN and/or Sophos Central for remote access and management.”

An unnamed independent researcher was credited with reporting the flaw via Sophos’ bug bounty.

The vulnerability is the third bug for the vendor this month. Earlier in March, two others came to light, tracked as CVE-2022-0386 (a post-authentication SQL-injection issue) and CVE-2022-0652 (an insecure access permissions bug). They affected the Sophos UTM unified threat-management appliance.

Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.

Suggested articles

Cybercrime Getting More Sophisticated: How to Protect Your Business?

Attackers continuously expand their capabilities and take advantage of limited cybersecurity awareness among businesses. With multiple attack vectors, they sabotage or bypass the victim’s security strengths while targeting their weaknesses. Hence it is more crucial than ever to have a Next-gen WAF.


  • R Hartes on

    Sophos have multiple firewall products. UTM or XG?
    • Tara Seals on

      The advisory doesn't actually say -- I think the function that's affected likely exists in any of the firewall products, but I reached out to Sophos to confirm.

Leave A Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.