Attackers are exploiting recently patched RCE in Sophos Firewall (CVE-2022-1040)

A critical vulnerability (CVE-2022-1040) in Sophos Firewall is being exploited in the wild to target “a small set of specific organizations primarily in the South Asia region,” Sophos has warned.

About CVE-2022-1040

CVE-2022-1040 is an authentication bypass vulnerability in the User Portal and Webadmin of Sophos Firewall, and can be exploited by attackers to achieve remote code execution on vulnerable appliances. It was reported to Sophos by an external security researcher.

The vulnerability affects Sophos Firewall v18.5 MR3 (18.5.3) and older.

Sophos started releasing hotfixes on March 23, and they are currently available for a variety of supported and unsupported EOL versions of the popular enterprise-grade solution.

Enterprise administrators that have left the “Allow automatic installation of hotfixes” feature enabled (it is enabled by default) don’t need to worry – they got them last week.

Those who haven’t are urged to implement the necessary hotfix or to implement a workaround to protect their network from external attackers: “Disable WAN access to the User Portal and Webadmin by following device access best practices and instead use VPN and/or Sophos Central for remote access and management.”

Users can verify if the hotfix for CVE-2022-1040 has been successfully applied by following these instructions, and should consider enabling the automatic hotfix installation feature (if they haven’t already).

Active exploitation

After releasing the security advisory for CVE-2022-1040 on Friday, Sophos has updated in on Monday to let customers know that the vulnerability is being used to mainly target organizations in the South Asia region, and that they have informed each of them directly.

We’ve asked Sophos whether the flaw had been exploited in the wild before they issued the hotfixes or after, and we’ll update this piece when we get an answer.