Sophos patches critical remote code execution vulnerability in Firewall

Sophos Firewall is a network protection solution for the enterprise market.
Written by Charlie Osborne, Contributing Writer

Sophos has patched a remote code execution (RCE) vulnerability in the Firewall product line.

Sophos Firewall is an enterprise cybersecurity solution that can adapt to different networks and environments. Firewall includes TLS and encrypted network traffic inspection, deep packet inspection, sandboxing, intrusion prevention systems (IPSs), and visibility features for detecting suspicious and malicious network activity.

On March 25, the cybersecurity company disclosed the RCE, which was privately disclosed to Sophos via the firm's bug bounty program by an external cybersecurity researcher. Sophos offers financial rewards of between $100 and $20,000 for reports.

Tracked as CVE-2022-1040 and issued a CVSS score of 9.8 by Sophos as a CNA, the vulnerability impacts Sophos Firewall v18.5 MR3 (18.5.3) and older.

According to Sophos' security advisory, the critical vulnerability is an authentication bypass issue found in the user portal and Webadmin Sophos Firewall access points.

While the vulnerability is now patched, Sophos has not provided further technical details.

Sophos Firewall users will have received a hotfix, in most cases, to tackle the flaw. So if customers have enabled the automatic installation of hotfix updates, they do not need to take further action.

However, if customers are still using older software versions, they may have to update their builds to a newer version to stay protected.

There is also a general workaround to mitigate the risk of attacks made through the user portal and Webadmin. Users can disable WAN access to these platforms entirely, and Sophos recommends using a virtual private network (VPN) alongside Sophos Central to improve the security of remote connections.

Earlier this month, Sophos resolved CVE-2022-0386 and CVE-2022-0652, two vulnerabilities in Sophos UTM threat management appliance. CVE-2022-0386 is a high-severity post-auth SQL injection vulnerability, whereas CVE-2022-0652 is an insecure access permissions bug. 

See also

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards