Sophos Firewall User Portal and Webadmin Code Injection RCE

Successful exploitation allows a remote attacker to execute code on the affected Sophos Firewall appliance. Given the affected components are administrative and user-facing management interfaces on an edge security device, compromise can result in full device takeover, unauthorized access to firewall administration functions, theft of administrator credentials, deployment of malware and backdoors, persistence, traffic interception or manipulation, and use of the firewall as a pivot point or proxy for further intrusion activity. Available reporting states the impact to confidentiality, integrity, and availability is high.

If immediate patching is not possible, reduce exposure by disabling WAN access to the User Portal and Webadmin interfaces. Sophos specifically recommends not exposing these management interfaces to the internet and instead using VPN and/or Sophos Central for remote access and administration. Additional defensive measures include restricting access to management services to trusted networks, increasing monitoring and detection around firewall administration activity, and reviewing logs for signs of exploitation or follow-on malware deployment.

Apply Sophos-provided fixes and upgrade to a supported, patched firmware release. The provided content states fixes are included in Sophos Firewall v18.5 MR5 (18.5.5), v19.0 MR2 (19.0.2), and v19.5 GA and above, with additional hotfixes issued for certain older branches, including some end-of-life versions. Organizations should verify that the relevant hotfix has been installed, enable automatic hotfix installation if not already enabled, and upgrade any end-of-life firmware or devices to currently supported versions. Because patching does not remediate prior compromise, affected organizations should also perform post-patch threat hunting and forensic review of system and network logs.