Home / Threat Intelligence bulletins / Critical Sophos vulnerability allows Remote Code Execution


Sophos have published an update to deal with an authentication bypass vulnerability (CVE-2022-1040) in the User Portal and Web Admin interfaces.


A remote attacker could execute code allowing them to take control of the firewall.

Vulnerability Detection

Sophos have published instructions on how to verify the fix

Affected Products

Sophos Firewall v18.5 MR3 (18.5.3) and older.

Containment, Mitigations & Remediations

Sophos advise that customers with ‘Allow automatic installation of hotfixes’ enabled should automatically receive the fix.

To protect against remote attacks, network services should not be exposed to the internet unless absolutely required. Remote access can be controlled through the use of a VPN.

Indicators of Compromise

None listed.

Threat Landscape

Sophos report that this vulnerability has been used to target some organisations primarily in the South Asia region. Those customers have been notified. The vulnerability still remains to be classified, however Sophos are clearly worried about it as they have provided updates for a variety of different unsupported / end-of-life (EoL) devices, which also suggests that this vulnerability may have lain undetected for quite some period of time.

Mitre Methodologies

T1190 – Exploit Public-Facing Application

Further Information

Resolved RCE in Sophos Firewall (CVE-2022-1040)