Sophos Firewall Authentication Bypass Vulnerability (CVE-2022-1040)
An authentication bypass vulnerability in User Portal and Webadmin of Sophos Firewall allows for remote code execution.
A remote attacker, without authentication, can achieve full data confidentiality loss, arbitrary modification of data, complete denial of service or system unavailability. Federal agencies are required to remediate by 2022-04-21 under CISA BOD 22-01.
This vulnerability affects Sophos Firewall. An authentication bypass vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v18.5 MR3 and older. Exploitation requires remote network access, low attack complexity, no authentication required, and no user interaction required.
📧
Phishing link
🖼
Malicious file
🔓
Server compromised
Probably yes if any of these apply:
Active exploitation documented in the wild. Threat-research write-up: http://packetstormsecurity.com/files/168046/Sophos-XG115w-Firewall-17.0.10-MR-10-Authentication-Bypass.html
Get the fix
Apply the fixed package from your vendor. The advisory lists affected versions and the exact fixed build.
↗ Vendor advisoryManual remediation steps
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.
References
Related vulnerabilities
KB5000871: Windows Server 2016 / 2019 Security Update (May 2026)
Microsoft Exchange Server
CVE-2021-26855
MEDIUM6.5Microsoft Defender for Identity Improper Authentication — Spoofing (CVE-2025-26685)
Microsoft Defender for Identity
CVE-2025-26685
HIGHIIS Security Updates Require Both Windows Update and Manual Configuration Review
Microsoft IIS