Skip to main content
Need help with a cyber incident now?
Call 24/7: +31 88-2747800

Vulnerability in Sophos firewall

By 28 March 2022 March 31st, 2022 CERT, SOC, Vulnerability

This live blog contains information regarding a vulnerability in Sophos firewalls. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on March 28, 2022.

Update March 28, 2022

12:00 | Recently, a critical vulnerability in Sophos firewalls was published which allows for remote code execution (RCE). This vulnerability is present in the user portal and web admin interfaces of Sophos firewalls. The vulnerability has been assigned the CVE reference CVE-2022-1040 and is relevant for firewall versions v18.5 MR3 (18.5.3) and older.

We advise users to investigate if their systems are vulnerable, and if so, to update the systems as soon as possible.

Reason and background of this blog

This blog contains information about vulnerabilities, the possible risk and advice on how to prevent or limit damage. Below are the possible risks, details and background information.

Potential risk

The vulnerability CVE-2022-1040 has a CVSS-score of 9.8. The CVSS scale runs from 0 to 10, where a score of 9.8 or higher is considered rare and is usually reserved for vulnerabilities with a high chance of exploitation with high impact. This vulnerability allows an attacker to directly send malicious requests to run arbitrary code on the system. Successful misuse of this vulnerability can allow the attacker to fully take over the system.

The vulnerability was reported via the Sophos bug bounty program by an external security expert. The vulnerability has since been resolved by Sophos.

Detail info

Sophos firewall versions v18.5 MR3 (18.5.3) and older are vulnerable. Sophos has created a page with more information to help verify if the hotfix has been applied. Sophos advises their customers to apply the hotfixes immediately. Customers making use of the setting ‘Allow automatic installation of hotfixes’ do not need to perform any manual actions.

As a workaround, Sophos advises disabling external access to both the user portal and the web admin interfaces. Sophos refers to their best practices regarding access to these interfaces. Additionally, they advise users to only perform remote admin via a Sophos Central or a VPN connection.


Do you want to be informed in time? Sign up for our technical updates

Would you like to receive these critical vulnerabilities by e-mail from now on? Enter your e-mail address below.

Tesorion uses your personal data to send out requested information and possibly for contact by telephone and for marketing and sales purposes. You can change your preferences whenever you want. Read our privacy policy for more information.