CVE-2022-1040 Overview
CVE-2022-1040 is an authentication bypass vulnerability in the User Portal and Webadmin interfaces of Sophos Firewall. A remote, unauthenticated attacker can bypass authentication and execute arbitrary code on the appliance over the network. The flaw affects Sophos Firewall version v18.5 MR3 and earlier releases. CISA added this issue to the Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation against internet-facing Sophos Firewall deployments. The EPSS score is 94.439% at the 99.99 percentile, reflecting a very high likelihood of exploitation activity.
Critical Impact
Unauthenticated remote attackers can bypass authentication on the User Portal or Webadmin and execute code on the firewall, gaining control of a perimeter security device.
Affected Products
- Sophos Firewall (SFOS) version v18.5 MR3 and older
- Sophos SFOS appliances exposing the User Portal to untrusted networks
- Sophos SFOS appliances exposing the Webadmin interface to untrusted networks
Discovery Timeline
- 2022-03-25 - Sophos publishes security advisory sophos-sa-20220325-sfos-rce
- 2022-03-25 - CVE-2022-1040 published to NVD
- 2025-10-27 - Last updated in NVD database
Technical Details for CVE-2022-1040
Vulnerability Analysis
The vulnerability is an authentication bypass in two web-facing management surfaces of Sophos Firewall: the User Portal and the Webadmin console. By reaching these endpoints over the network, an attacker can circumvent authentication checks and invoke functionality that should require valid credentials. The bypass chains into code execution on the underlying appliance, allowing the attacker to run commands in the context of the firewall.
Because Sophos Firewall is typically deployed at the network edge, successful exploitation gives an attacker a foothold on the perimeter. From that position, an attacker can intercept traffic, pivot into the internal network, modify firewall rules, or disable inspection. CISA KEV listing and Exploit-DB entry 51006 confirm working exploitation paths are public.
Root Cause
The root cause is improper authentication enforcement in the User Portal and Webadmin web applications. Requests that should be rejected as unauthenticated are processed by privileged handlers. NVD classifies the weakness as NVD-CWE-noinfo, and Sophos has not publicly disclosed the specific code-level defect. See the Sophos Security Advisory for vendor details.
Attack Vector
The attack vector is the network. An attacker sends crafted HTTP/HTTPS requests to the User Portal or Webadmin interface, which are commonly exposed on the WAN for remote administration and VPN portal access. No user interaction and no prior privileges are required. The Packet Storm advisory and Exploit-DB #51006 document the exploitation mechanics.
// No verified public exploit code reproduced here.
// Refer to Exploit-DB #51006 and the Sophos advisory for technical specifics.
Detection Methods for CVE-2022-1040
Indicators of Compromise
- Unexpected administrator or portal user accounts created on the firewall outside of change control
- Anomalous outbound connections from the firewall management plane to unknown IP addresses
- Modifications to firewall rules, VPN configurations, or DNS settings without a corresponding change record
- Webadmin or User Portal access log entries from unfamiliar source IPs preceding configuration changes
Detection Strategies
- Inspect Sophos Firewall access logs for HTTP requests to User Portal and Webadmin URLs from non-administrative source ranges.
- Correlate firewall configuration change events with authenticated administrator session activity to identify changes without a matching login.
- Compare running configuration against known-good baselines to detect tampering with rules, certificates, or admin accounts.
Monitoring Recommendations
- Forward Sophos Firewall syslog to a central SIEM or data lake and alert on management-plane access from outside approved networks.
- Monitor for outbound traffic originating from the firewall itself, which should be rare and well-defined.
- Track firmware version reporting from all SFOS appliances to identify systems still running v18.5 MR3 or earlier.
How to Mitigate CVE-2022-1040
Immediate Actions Required
- Apply the Sophos hotfix or upgrade to a fixed SFOS release as documented in sophos-sa-20220325-sfos-rce.
- Restrict User Portal and Webadmin exposure to trusted management networks; remove WAN access where not strictly required.
- Audit administrator accounts, API tokens, and firewall rules for unauthorized changes since March 2022.
- Rotate administrator credentials and any secrets stored on or reachable from the firewall.
Patch Information
Sophos released hotfixes for supported SFOS versions, distributed automatically to appliances with the default "Allow automatic installation of hotfixes" setting enabled. Customers running v18.5 MR3 or older must verify hotfix installation or upgrade to a fixed release. Full remediation guidance is provided in the Sophos Security Advisory and the CISA KEV entry.
Workarounds
- Disable WAN access to the User Portal and Webadmin until the hotfix is confirmed installed.
- Limit management access using local service ACLs to specific administrator source IP ranges.
- Place the firewall management interfaces behind a VPN or jump host where feasible.
# Verify hotfix application status on Sophos Firewall (admin CLI)
system diagnostic show version
system hotfix show
# Confirm WAN exposure of management services
system service-acl show
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
