CVE-2022-1040

What is Sophos Firewall?

Sophos Firewall (formerly Sophos XG Firewall) is a network security appliance deployed by enterprises and managed service providers to provide firewall, VPN, intrusion detection, and web filtering. Its web-based management console and user self-service portal are accessible directly from the appliance's IP address, making them frequently exposed to the internet for remote administration.

Overview

CVE-2022-1040 is a pre-authentication remote code execution vulnerability in the User Portal and Webadmin components of Sophos Firewall. An unauthenticated attacker able to reach these interfaces over HTTP/HTTPS can bypass authentication and execute arbitrary code on the appliance. Sophos confirmed active exploitation in the wild targeting South Asian organizations within days of the advisory, prompting CISA to add it to the KEV catalog on March 31, 2022 — less than a week after disclosure.

Affected Versions

Technical Details

The vulnerability is an authentication bypass (CWE-287) in the portal and admin web interfaces. The precise mechanism was not publicly detailed by Sophos, but the class of bug allows an attacker to reach authenticated functionality without valid credentials — and from there execute arbitrary code with the privileges of the web server or underlying OS.

Attack characteristics:

• No authentication required: exploitable from the network without any credentials
• Attack complexity: Low: straightforward exploitation pattern with no special conditions
• Single request: exploitation does not require multi-step interaction
• Remote code execution: arbitrary command execution on the appliance OS
• Scope: Unchanged: the attacker gains control of the firewall itself

Sophos issued a hotfix that auto-applied to internet-connected appliances with automatic updates enabled. Customers not using automatic updates required manual action.

Discovery

Sophos discovered the vulnerability through internal investigation. The company noted that exploitation was observed targeting "a specific small set of organizations primarily in the South Asia region" before the advisory was published.

Exploitation Context

Firewall appliances are extremely high-value targets because they:

• Sit at the network perimeter with internet-facing interfaces
• Have trusted network access to internal infrastructure
• Are often excluded from endpoint security monitoring
• Control VPN gateways (allowing pivoting into internal networks)

Sophos attributed the targeted exploitation to an advanced threat actor. The timing and targeting pattern (South Asia organizations) aligned with espionage-motivated attacks. Exploitation of perimeter security appliances by state-linked threat actors has become a recurring pattern, with similar attacks seen against Fortinet, Pulse Secure, and Citrix appliances.

Remediation

1. Apply the hotfix or upgrade: Update to Sophos Firewall v18.5 MR3+ or v19.0 GA. Appliances with automatic updates should have received a hotfix automatically.
2. Restrict access to portal and admin interfaces: Do not expose the User Portal (typically port 443/8443) or Webadmin (port 4444) to untrusted networks. Use an allow-list of management IPs.
3. Disable portal access from WAN: If VPN users don't need to access the self-service portal from the internet, disable WAN access entirely via the admin console.
4. Review for compromise indicators: Check admin user accounts, firewall rules, and VPN configurations for unauthorized changes. Monitor authentication logs for unusual access.
5. Enable auto-updates: Ensure automatic hotfix updates are enabled so future critical patches apply without manual intervention.