MARCH 29, 2022 23:55 GMT
A critical Remote Code Execution (RCE) vulnerability has been patched in the Sophos Firewall platform. This vulnerability (CVE-2022-1040) has a CVSS base score of 9.8 and impacts all Sophos firewalls v18.5 MR3 (18.5.3) and older.
The vulnerability allows a threat actor to bypass authentication in the User and Webadmin portals. After bypassing login, the user is subsequently able to remotely execute code. The bug was privately disclosed by threat researchers and there is a hotfix available.
Sophos has a Knowledge Base guide to determine if the hotfix was applied properly within your environment, and it has been fixed automatically for any customer who has the “Allow automatic installation of hotfixes” setting available.
There is a reported history of Sophos Firewall vulnerabilities being utilized by threat actors to infect corporate networks with ransomware. 
- Ensure that the hotfix has been applied if you are running Sophos Firewall v18.5 MR3 (18.5.3) or older versions.
- Sophos recommends that you disable WAN access to the User Portal and Webadmin interfaces and use a secure connection channel following their best practices.
- Sophos Advisory: https://www.sophos.com/en-us/security-advisories/sophos-sa-20220325-sfos-rce
- Sophos KB Article: Verify Hotfix has been applied properly: https://support.sophos.com/support/s/article/KB-000043853?language=en_US
- Mitre Entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1040
- NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2022-1040
- BleepingComputer Article: https://www.bleepingcomputer.com/news/security/critical-sophos-firewall-vulnerability-allows-remote-code-execution/