Cyber Resilience

CVE-2022-1040

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 25 March 2022

Published
25 March 2022
Modified
27 October 2025
KEV Added
31 March 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9444 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-1040 is a critical-severity an unspecified weakness vulnerability in Sophos Sfos. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

An authentication bypass vulnerability affects the User Portal and Webadmin components of Sophos Firewall in version v18.5 MR3 and older. Tracked as CVE-2022-1040, the flaw received a CVSS 3.1 base score of 9.8 reflecting network attack vector, low complexity, and no required privileges or user interaction, resulting in full impact to confidentiality, integrity, and availability.

Unauthenticated remote attackers can exploit the weakness to bypass authentication controls and execute arbitrary code on the firewall. Public proof-of-concept code has been posted to Exploit-DB and PacketStorm, enabling straightforward remote code execution against exposed management interfaces.

The vendor published an advisory detailing the issue. The associated EPSS score reached a peak of 0.9750 and remains at 0.9444, reflecting sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

An authentication bypass vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v18.5 MR3 and older.

CWE(s)
KEV Date Added
31 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sophos
sfos
≤ 18.5.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of vendor patches that remediate the authentication-bypass flaw in Sophos Firewall v18.5 MR3 and earlier.

prevent

Mandates enforcement of access-control policies on the User Portal and Webadmin interfaces so that unauthenticated remote code execution cannot succeed.

prevent

Requires boundary-protection mechanisms that restrict network exposure of management interfaces, limiting the attack surface for the unauthenticated RCE vector.

References