Critical Sophos Firewall vulnerability allows remote code execution

Correlate

Level 16
Thread author
Verified
Top poster
Well-known
May 4, 2019
762
Sophos has fixed a critical vulnerability in its Sophos Firewall product that allows remote code execution (RCE).

Tracked as CVE-2022-1040, the authentication bypass vulnerability exists in the User Portal and Webadmin areas of Sophos Firewall.
On Friday, Sophos disclosed a critical remote code execution vulnerability impacting Sophos Firewall versions 18.5 MR3 (18.5.3) and earlier that the company released hotfixes for.
 

MacDefender

Level 16
Verified
Top poster
Oct 13, 2019
792
Unfortunately this is the second time in 5 years that Sophos XG firewalls have had a fully remote exploitable vulnerability on their login page! I used to be a big fan of Sophos for offering home users the ability to run a legitimate enterprise firewall using a spare PC, but since they switched to XG (based off acquisition of CyberRoam) the quality has been going way down.

It’s hard to say anything good about a firewall that can be compromised via its login page. More than once. And for the exploit to be detected in the wild first. I’ll be decommissioning my last Sophos setup
 

plat

Level 28
Verified
Top poster
Well-known
Sep 13, 2018
1,692

excerpt:

The Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal civilian agencies on Thursday to patch a critical Sophos firewall bug and seven other vulnerabilities within the next three weeks, all exploited in ongoing attacks.

As Sophos revealed almost one week ago, the CVE-2022-1040 bug enables attackers to bypass authentication via the User Portal or Webadmin interface and execute arbitrary code remotely.

Two days later, the cybersecurity vendor amended its security advisory, saying it alerted a small set of South Asian organizations targeted with CVE-2022-1040 exploits.
 
Top