An authentication bypass vulnerability (CVE-2022-1040) that allowed for remote code execution (RCE) was discovered in the User Portal and Webadmin of Sophos Firewall.
This vulnerability affects organizations running versions v18.5 MR3 and older of Sophos Firewall.
CVE-2022-1040 was issued a 9.8 rating on the CVSS scale; in other words, critical severity. RCE is one of the most dangerous types of flaws because it allows an adversary to execute malicious code on vulnerable servers.
Sophos released hotfixes for the following versions, according to the company’s security advisory:
These patches should automatically apply when users have enabled “Allow Automatic Installation of Hotfixes” on their systems. Otherwise, admins must manually update the firewall.
In general, it’s important to ensure that the User Portal and Webadmin is not exposed to the internet. Admins should disable WAN access to both the User Portal and Webadmin by following Sophos’ instructions for device access best practices.
Blumira’s cloud SIEM detects and alerts you about suspicious behavior in your environment so that you can stop an incident early enough to prevent damage. Each finding we send is accompanied with a security playbook, giving you clear recommendations on how to remediate an attack. Our support team of security analysts is always available to answer questions on how to interpret a finding, or for other security help.
Blumira’s free SIEM is easy to deploy; IT and security teams can start seeing immediate security value for their organizations.