Security News > 2022 > June > Sophos Firewall zero-day bug exploited weeks before fix

Sophos Firewall zero-day bug exploited weeks before fix
2022-06-16 22:23

Chinese hackers used a zero-day exploit for a critical-severity vulnerability in Sophos Firewall to compromise a company and breach cloud-hosted web servers operated by the victim.

On March 25, Sophos published a security advisory about CVE-2022-1040, an authentication bypass vulnerability that affects the User Portal and Webadmin of Sophos Firewall and could be exploited to execute arbitrary code remotely.

This week, cybersecurity company Volexity detailed an attack from a Chinese advanced persistent threat group they track as DriftingCloud, which exploited CVE-2022-1040 since early March, a little over three weeks before Sophos released a patch.

The adversary used the zero-day exploit to compromise the firewall to install webshell backdoors and malware that would enable compromising external systems outside the network protected by Sophos Firewall.

The researchers say that gaining access to Sophos Firewall was the first step of the attack, allowing the adversary to perform man-in-the-middle activity by way of modifying DNS responses for specific websites managed by the victim company.

Sophos provided hotfixes that address CVE-2022-1040 automatically as well as mitigations that help organizations using its firewall protect against exploiting the vulnerability.


News URL

https://www.bleepingcomputer.com/news/security/sophos-firewall-zero-day-bug-exploited-weeks-before-fix/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-03-25 CVE-2022-1040 Unspecified vulnerability in Sophos Sfos
An authentication bypass vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v18.5 MR3 and older.
network
low complexity
sophos
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Sophos 70 11 77 42 22 152