A remote code execution (RCE) vulnerability (CVE-2022-1040) has been identified in User Portal and Webadmin of Sophos Firewall in versions 18.5 MR3 (18.5.3) and older. The vulnerability has been rated as critical by our cyber security specialists.
Sophos Firewall software provides network and user endpoint security.
The exploitation of an RCE vulnerability could allow a malicious actor to remotely install malware or otherwise control the affected device.
Sophos has observed this vulnerability being used to target a small set of specific organisations primarily in the South Asia region. We have informed each of these organisations directly. Sophos will provide further details as we continue to investigate.
How to stay secure
Organisations who use Sophos Firewall versions prior to v18.5 should review their patch status and update to the latest version.
Sophos Firewall has released a security advisory and hotfix for the affected Firewall versions. Please review the hotfix, and implement it as soon as possible.
There is no update action required for Sophos Firewall customers with the "Allow automatic installation of hotfixes" feature enabled. Enabled is the default setting. To confirm that the hotfix has been applied to your firewall, please refer to KB-000043853.
What to do if you believe you may be affected by this vulnerability
Blackpanda incident response experts are monitoring the situation and are prepared to provide assistance and advice as required.
If you believe that your organisation may have been impacted by this vulnerability, a compromise assessment is the best way to ensure that any threats currently in your network are addressed as soon as possible.
If you require emergency incident response, please contact Blackpanda immediately.
