Sophos Firewall Remote Code Execution Vulnerability: What You Need to Know

On Friday, March 25, Sophos disclosed a critically-rated vulnerability impacting Sophos firewall version 18.5 MR3 (18.5.3) and earlier. This vulnerability is rated 9.8 out of 10 on the CVSS v3 scoring system and is tracked as CVE-2022-1040. Sophos has released a patch to fix the issue.

What happened?

The vulnerability allows for remote code execution (RCE), which is when a malicious actor remotely accesses the Firewall’s user portal or Webadmin interface to bypass authentication and execute arbitrary code. The vulnerability was reported to Sophos by an unnamed external security researcher via the company’s bug bounty program.

What is Sophos’ response?

According to Sophos’ security advisory, “There is no action required for Sophos Firewall customers with the ‘Allow automatic installation of hotfixes’ feature enabled. Enabled is the default setting.”

Per its device best practices, Sophos recommends disabling WAN access to the user portal and Webadmin, and either securing it behind a VPN or using Sophos Central for remote access and management.

Is Nuspire affected?

Nuspire is not affected by this vulnerability.

What should I do?

Nuspire recommends you take the following actions:

• Organizations using Sophos firewalls should review the security advisory released, which contains hotfix versions for supported and unsupported end-of-life devices.
• Review and configure your device using Sophos’ device access best practices guide.
• If previously disabled, consider enabling “Allow automatic installation of hotfixes” to apply patches automatically when they’re released.