Fix for vulnerability CVE-2022-104 in Sophos Firewall (v18.5 MR3)

Sicherheit (Pexels, allgemeine Nutzung)[German]A security researchers have found a vulnerability CVE-2022-104 (authentication bypass) in Sophos firewalls (v18.5 MR3 and older) that allows authentication bypass. Attackers could thus take over the firewall and execute malicious code remotely. However, Sophos has since released an update for the firewall products in question.


The following tweet points out the issue for which Sophos has published this security warning as of March 25, 2022.  

In the security advisory, Sophos states that an authentication bypass vulnerability CVE-2022-104 exists in its firewalls in firmware v18.5 MR3 (18.5.3) and older. The vulnerability was reported via the Sophos Bug Bounty Program by an external security researcher. This vulnerability allows authentication bypass in the Sophos Firewall user portal and web admin. This ultimately allows attackers to remotely execute code.

Sophos Firewall v18.5 MR3 (18.5.3) and older versions are affected. Sophos released the following hotfixes to close the vulnerabilities on 23 March 2022:

  • Hotfixes for v17.0 MR10 EAL4+, v17.5 MR16 and MR17, v18.0 MR5(-1) and MR6, v18.5 MR1 and MR2, and v19.0 EAP published on March 23, 2022
  • Hotfixes for unsupported EOL versions v17.5 MR12 through MR15, and v18.0 MR3 and MR4 published on March 23, 2022
  • Hotfixes for unsupported EOL version v18.5 GA published on March 24, 2022
  • Hotfixes for v18.5 MR3 published on March 24, 2022
  • Fix included in v19.0 GA and v18.5 MR4 (18.5.4)

Sophos says, users of older versions of Sophos Firewall are required to upgrade to receive the latest protections and this fix.


No action is required for Sophos firewalls that have the "Allow automatic installation of hotfixes" feature enabled.

To prevent remote code execution by external attackers, administrators should ensure that their user portal and webadmin are not accessible via wide area network (WAN). Sophos recommends disabling WAN access to the User Portal and Webadmin (see this best practice instructions). Bleeping Computer has also published some more information on the subject here.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software, Update and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *