Overview
Sophos Firewall versions 18.5 MR3 and older contain a critical authentication bypass vulnerability in the User Portal and Webadmin interfaces. This vulnerability allows remote attackers to bypass authentication controls and potentially execute arbitrary code without requiring valid credentials. The vulnerability was disclosed on March 25, 2022. CISA has identified CVE-2022-1040 as being exploited but is not currently known to be used in ransomware campaigns.
Technical details
Sophos Firewall contains insufficient authentication checks in both the User Portal and Webadmin components. These weaknesses allow unauthenticated remote attackers to access protected functionality without providing valid credentials. The vulnerability can be exploited to bypass authentication mechanisms entirely, potentially leading to code execution and full system compromise.
The vulnerability is classified as CWE-287 (Improper Authentication) andCWE-306 (Missing Authentication for Critical Function) .
The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating its critical nature.
Impact
An unauthenticated remote attacker can completely bypass authentication on the Sophos Firewall, potentially gaining administrative access to sensitive firewall management interfaces. This could lead to arbitrary code execution, unauthorized access to network traffic, modification of firewall rules, theft of sensitive data, lateral movement into the protected network, and complete compromise of the firewall's security posture.
Mitigation and workarounds
Upgrade Sophos Firewall to version 18.5 MR4 or later. For customers unable to immediately upgrade, Sophos strongly recommends implementing network-level access controls to restrict access to the User Portal and Webadmin interfaces to trusted networks only. The following versions include the necessary fixes: Sophos Firewall 18.5 MR4, Sophos Firewall 19.0.
As temporary workarounds: restrict network access to the sophos firewall user portal (typically port 4444) and webadmin interface (typically port 4443) using firewall rules, network segmentation, or access control lists. only allow connections from trusted administrative networks or vpn connections.; deploy the firewall behind an additional network access layer or reverse proxy that enforces authentication before traffic reaches the sophos firewall interfaces., and disable the user portal and webadmin interfaces if not actively required, and manage the firewall through alternative methods (e.g., cli) until patching is completed..
CISA's recommendation: Apply updates per vendor instructions.
Additional resources
Source: This report was generated using AI
