Sophos Firewall RCE vulnerability actively exploited

THREAT LEVEL: Amber For a detailed advisory, download the pdf file here A security researcher has discovered an authentication bypass vulnerability that resides in the User Portal and Webadmin areas of Sophos Firewall. Attackers are actively exploiting this vulnerability to attack enterprises in South Asia. The vulnerability, tracked as CVE-2022-1040, allows a remote attacker with access to the Firewall's User Portal or Webadmin user to circumvent authentication and execute arbitrary code. Sophos published hotfixes to address this vulnerability, which has been automatically deployed to all susceptible devices because the 'Allow automatic installation of hotfixes' functionality that is activated by default. However, hotfixes published for end-of-life Sophos Firewall versions must be manually upgraded in order to address the security issue and defend against ongoing assaults. Customers can also defend themselves from external attackers by not exposing their User Portal and Webadmin to the WAN. Potential MITRE ATT&CK TTPs are: TA0042: Resource Development TA0006: Credential Access TA0007: Discovery TA0001: Initial Access TA0004: Privilege Escalation TA0005: Defense Evasion T1588: Obtain Capabilities T1588.006: Obtain Capabilities: Vulnerabilities T1190: Exploit Public-Facing Application T1040: Network Sniffing T1548: Abuse Elevation Control Mechanism Vulnerability Details References https://www.sophos.com/en-us/security-advisories/sophos-sa-20220325-sfos-rce https://support.sophos.com/support/s/article/KB-000043853?language=en_US