CriticalCISA KEVExploited in the wildPublic exploit

Authentication Bypass RCE in Sophos Firewall User Portal and Webadmin

IdentifiersCVE-2022-1040CWE-288

CVE-2022-1040 is a critical authentication bypass vulnerability in Sophos Firewall affecting version 18.5 MR3 (18.5.3) and earlier. The flaw resides in the firewall's User Portal and Webadmin web interfaces and allows a remote attacker with network access to those interfaces to bypass authentication controls and execute arbitrary code on the device. The provided content consistently describes the issue as an authentication bypass leading directly to remote code execution, but does not identify a specific vulnerable function or code path.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows unauthenticated remote compromise of the affected Sophos Firewall appliance. An attacker can bypass login protections on exposed administrative or user-facing web interfaces and execute arbitrary code on the firewall, which can result in full device takeover, theft of credentials and configuration data, deployment of malware or backdoors, persistence, use of the firewall as a proxy or pivot point, and broader compromise of protected internal networks.

Mitigation

If you can’t patch tonight, do this now.

Do not expose the User Portal or Webadmin interfaces to the WAN. Disable WAN access to those interfaces where possible and use VPN access or Sophos Central for remote administration instead. Until patching is confirmed, restrict network reachability to trusted management sources only and monitor affected devices for signs of compromise or unauthorized code execution.

Remediation

Patch, then assume compromise.

Apply Sophos-issued hotfixes for CVE-2022-1040 immediately. The content states that Sophos released hotfixes and that most firewall instances receive them automatically when automatic hotfix installation is enabled, which is the default. Verify that the hotfix has been applied. For older versions or end-of-life products that may not receive the fix automatically, perform the vendor-recommended manual remediation or upgrade to a supported fixed release.

PUBLIC EXPLOITS

Exploits

2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (4 hidden).

VALID 2 / 6 TOTALView more in app

cve-2022-1040MaturityPoCVerified exploit

This repository provides a proof-of-concept (POC) exploit for CVE-2022-1040, an authentication bypass vulnerability in the Sophos Firewall web admin interface. The repository contains two main Python files (Sophos-poc.py and Docker/Sophos-poc.py, which are identical), a Dockerfile for containerized execution, and a README with usage instructions. The exploit works by running a local HTTPS man-in-the-middle (MITM) proxy (using baseproxy) on port 8788. The user configures their browser to use this proxy, and when attempting to log in to the Sophos Firewall's web admin interface (typically on port 4444), the proxy intercepts and modifies specific POST requests to /webconsole/Controller. It injects a crafted JSON payload that exploits the authentication bypass, potentially granting unauthorized access to the firewall's admin interface. The exploit does not provide a post-exploitation payload but demonstrates the vulnerability by allowing access without valid credentials. The Dockerfile enables easy setup of the required environment. No hardcoded IPs or external domains are present; the main fingerprintable endpoints are the local proxy and the targeted Sophos Firewall path.

Keith-amateurDisclosed Oct 7, 2022pythondockerfilenetwork

CVE-2022-1040MaturityPoCVerified exploit

This repository provides a proof-of-concept (PoC) exploit for CVE-2022-1040, an authentication bypass vulnerability in the Sophos XG115w Firewall version 17.0.10 MR-10. The exploit consists of two main files: 'CVE-2022-1040.txt', which documents the vulnerability details and provides a sample HTTP POST request to the /webconsole/Controller endpoint, and 'userportal', which contains a similar POST request targeting the /userportal/Controller endpoint. Both files demonstrate how an attacker can craft specific POST requests with manipulated parameters (notably the 'mode' and 'json' fields) to bypass authentication and gain unauthorized access to the firewall's management or user portal interfaces. The README.md provides a brief description and a screenshot reference. No executable code is present; the repository is documentation and PoC request samples for manual exploitation. The attack vector is network-based, requiring access to the firewall's web interfaces.

jackson5secDisclosed Oct 30, 2022httpmarkdownnetwork

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

SophosSfosoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

11 SOURCESView more in app

sophos threat researchNews

Jan 1, 2026

Sophos X-Ops finds Attackers Using Covert Channels in Backdoor Against Devices | SOPHOS

A previously referenced Sophos Firewall vulnerability mentioned for comparison with the current attack tradecraft, specifically similar use of Gh0st RAT-style traffic signaling via crafted ping packets.

medium s2wblogNews

Dec 24, 2025

Detailed Analysis of Recent Vulnerability Trends and Attack Patterns | by S2W | S2W BLOG | Medium

A vulnerability explicitly shown in an example of exploitation shared on DDW.

zeropath blogNews

Sep 9, 2025

Sophos AP6 Series CVE-2025-10159: Brief Summary of a Critical Authentication Bypass Vulnerability - ZeroPath Blog | ZeroPath

A previously addressed authentication bypass vulnerability affecting Sophos Firewall, mentioned as historical context for similar vendor security issues.

palo alto networks unit 42 blogNews

Jun 10, 2025

The Evolution of Linux Binaries in Targeted Cloud Operations

An authentication bypass vulnerability in Sophos XG Firewall (libsophos.so) that allows attackers to gain initial access and persistence, exploited by the Pygmy Goat malware.

+3 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware2

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2022-1040

NVD

nvd.nist.gov/vuln/detail/CVE-2022-1040

MITRE CWE · CWE-288

cwe.mitre.org

Vendor Advisory

sophos.com/en-us/security-advisories/sophos-sa-20220325-sfos-rce

Third Party Advisory

packetstormsecurity.com/files/168046/Sophos-XG115w-Firewall-17.0.10-MR-10-Authentication-Bypass.html

Third Party Advisory

exploit-db.com/exploits/51006

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-1040