By security practitioners, for security practitioners novacoast federal | Pillr | novacoast | about innovate
By security practitioners, for security practitioners

Critical Remote Code Execution Vulnerability Found in Sophos Firewall Products

MARCH 29, 2022 23:55 GMT

A critical Remote Code Execution (RCE) vulnerability has been patched in the Sophos Firewall platform. This vulnerability (CVE-2022-1040) has a CVSS base score of 9.8 and impacts all Sophos firewalls v18.5 MR3 (18.5.3) and older.

Vulnerability Details

The vulnerability allows a threat actor to bypass authentication in the User and Webadmin portals. After bypassing login, the user is subsequently able to remotely execute code. The bug was privately disclosed by threat researchers and there is a hotfix available.

Sophos has a Knowledge Base guide to determine if the hotfix was applied properly within your environment, and it has been fixed automatically for any customer who has the “Allow automatic installation of hotfixes” setting available.

There is a reported history of Sophos Firewall vulnerabilities being utilized by threat actors to infect corporate networks with ransomware. [5]


  • Ensure that the hotfix has been applied if you are running Sophos Firewall v18.5 MR3 (18.5.3) or older versions.
  • Sophos recommends that you disable WAN access to the User Portal and Webadmin interfaces and use a secure connection channel following their best practices.  


  1. Sophos Advisory:
  2. Sophos KB Article: Verify Hotfix has been applied properly:
  3. Mitre Entry:
  4. NVD Entry:
  5. BleepingComputer Article:
Previous Post

Okta Investigating Reported Breach of Customer Data by Threat Group LAPSUS$ – UPDATED

Next Post

Spring4Shell Zero-Day RCE Affects VMWare’s Java Application Framework

Innovate uses cookies to give you the best online experience. If you continue to use this site, you agree to the use of cookies. Please see our privacy policy for details.