An authentication bypass vulnerability allowing remote code execution was discovered in the User Portal and Webadmin of Sophos Firewall and responsibly disclosed to Sophos. It was reported via the Sophos bug bounty program by an external security researcher. The vulnerability has been fixed.
There is no action required for Sophos Firewall customers with the "Allow automatic installation of hotfixes" feature enabled. Enabled is the default setting.
Sophos has observed this vulnerability being used to target a small set of specific organizations primarily in the South Asia region. We have informed each of these organizations directly. Sophos will provide further details as we continue to investigate.
Applies to the following Sophos product(s) and version(s)
Sophos Firewall v18.5 MR3 (18.5.3) and older
Customers can protect themselves from external attackers by ensuring their User Portal and Webadmin are not exposed to WAN.
Disable WAN access to the User Portal and Webadmin by following device access best practices and instead use VPN and/or Sophos Central for remote access and management.
Hotfixes for v17.0 MR10 EAL4+, v17.5 MR16 and MR17, v18.0 MR5(-1) and MR6, v18.5 MR1 and MR2, and v19.0 EAP published on March 23, 2022
Hotfixes for unsupported EOL versions v17.5 MR12 through MR15, and v18.0 MR3 and MR4 published on March 23, 2022
Hotfixes for unsupported EOL version v18.5 GA published on March 24, 2022
Hotfixes for v18.5 MR3 published on March 24, 2022
Hotfixes for unsupported EOL version v17.5 MR3 published on April 4, 2022
Fix included in v19.0 GA and v18.5 MR4 (18.5.4)
Users of older versions of Sophos Firewall are required to upgrade to receive the latest protections and this fix
To confirm that the hotfix has been applied to your firewall, please refer to KB-000043853.
- 2022-03-25: First Published
- 2022-03-28 22:10 UTC: Updated Overview text with additional information from Sophos investigation
- 2022-04-05: Updated hotfix release information for v17.5 MR3