Sophos has fixed a critical vulnerability (CVSSv3 severity of 9.8) in its Sophos Firewall product that allows remote code execution (RCE). The vulnerability allows a remote attacker who can access the Firewall’s User Portal or Webadmin interface to bypass authentication and execute arbitrary code.
Below is a comment from Claire Tills, Senior Research Engineer, Tenable, analyzing the vulnerability and its implications.
“On March 25, a Friday, Sophos released patches for a critical remote code execution flaw in its Firewall solution. A vulnerability in a security product that receives a CVSSv3 severity of 9.8 is cause for immediate concern.
“Many Sophos Firewall users won’t need to take any additional actions to patch this flaw as the Sophos Firewall has “Allow automatic installation of hotfixes” enabled by default. However, any organization that has manually disabled this feature, or is running “older versions” of Sophos Firewall, should look to urgently patch given a vulnerable firewall is a major security concern.
“In 2020, threat actors used a SQL injection flaw in Sophos XG Firewalls, CVE-2020-12271, with the same severity in targeted attacks as a zero day. CVE-2020-12271 allowed attackers to exfiltrate sensitive data, while CVE-2022-1040 could allow them to execute arbitrary code.”– Claire Tills, senior research engineer, Tenable.