The vulnerability, tracked as CVE-2022-1040, is rated 9.8 out of 10 on the CVSS scoring system and affects Sophos Firewall version 18.5 MR3 (18.5.3) or later. It involves an authentication bypass vulnerability in the User Gateway and Webadmin interface that, if successfully weaponized, allows a remote attacker to execute arbitrary code.
“Sophos observed this vulnerability being used to target a small group of specific organizations primarily in the South Asia region,” the company noted in a revised advisory published Monday. . “We have notified each of these organizations directly.”
The vulnerability was addressed in a hotfix that was automatically installed for customers who had the “Allow automatic hotfix installation” setting enabled. To work around this, Sophos recommends that users disable WAN access to the Webadmin and User Portal interfaces.
Additionally, the British security software company shipped unsupported end-of-life versions from 17.5 MR12 to MR15, 18.0 MR3 and MR4 and 18.5 GA, showing the severity of the problem.
“Users of older versions of Sophos Firewall are required to upgrade to receive the latest protections and this fix,” Sophos said.