Firewall Inferno – Sophos & SonicWall Vulnerabilities

Share :

CVE-2022-1040 and CVE-2022-22247 are two recent vulnerabilities that have been discovered in two different Firewall products. This blog post will cover both the Sophos Firewall vulnerability (CVE-2022-1040) and the SonicWall Firewall vulnerability (CVE-2022-22247).

Background on CVE-2022-1040 in Sophos Firewalls

On Friday, March 25, 2022, Sophos, a British-based cybersecurity company, disclosed a critical authentication bypass vulnerability impacting Sophos Firewall, which was discovered by a security researcher using Sophos’ bug bounty program. This vulnerability affects versions up to and including 18.5 MR3 (18.5.3) and could lead to remote code execution. Assigned CVE-2022-1040 vulnerability ID with the 9.8 – Critical, CVSS (Common Vulnerability Scoring System) V3 score; this vulnerability was found in the User Portal and Webadmin interfaces of Sophos Firewall. In order for a threat actor to exploit this vulnerability, WAN access must be enabled for these portals.

Affected Version by CVE-2022-1040

Sophos has released hotfixes for both supported and end-of-life versions of affected products on March 23 and March 24, ahead of disclosing the vulnerability.

Hotfixed Supported Versions

Hotfixed Unsupported / EOL Versions

  • v17.0 MR10 EAL4+
  • v17.5 MR16 and MR17
  • v18.0 MR5(-1) and MR6
  • v18.5 MR1 through MR3
  • v19.0 EAP
  • v17.5 MR12 through MR15
  • v18.0 MR3 and MR4
  • v18.5 GA

Recommendations for CVE-2022-1040

Arctic Wolf strongly recommends updating and verifying the firmware patch is applied. For security practitioners who are not able to apply the patch, Sophos has also detailed a workaround, by disabling WAN access to the web consoles.

Recommendation #1: Verify Hotfix Installation

Sophos has a support document detailing a command to check if the hotfix is applied from a shell here:

Recommendation #2: Update Sophos Firewall Firmware

If the verification of the patch from the above recommendation fails (“Hotfix isn’t applied”) Sophos has detailed the steps to update your Firmware version.

Background on CVE-2022-22247 – SonicWall Firewalls

On Thursday, March 24, SonicWall, Security hardware manufacturer, published a security advisory to address a critical vulnerability – CVE-2022-22247 – in the SonicOS security operating system that allows denial of service (DoS) attacks and could lead to remote code execution (RCE). The security flaw is a stack-based buffer overflow in SonicOS via an HTTP request allowing a remote unauthenticated attacker to cause Denial of Service (DoS) or potentially execute code in the firewall. This vulnerability only impacts the web management interface in TZ Series next-generation firewalls (NGFW), Network Security Virtual (NSv Series), and Network Security services platform (NSsp); the SonicOS SSLVPN interface is not affected.

The SonicWall Product Security Incident Response Team (PSIRT) says there are no reports of public proof-of-concept exploits, and it found no evidence of exploitation in the wild. Patches or hotfixes are available for all affected products.

CVE-2022-22247 vulnerability id has been reserved but not assigned a score yet.

Affected Version by CVE-2022-22247

The SonicWall appliances below are impacted by CVE-2022-22247 vulnerability.

Impacted Platforms

Impacted Version

Fixed Version

TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W,

TZ570, TZ570W, TZ570P, TZ670, NSa 2700, NSa 3700,
NSa 4700, NSa 5700, NSa 6700, NSsp 10700,

NSsp 11700, NSsp 13700, NSv 270, NSv 470, NSv 870

7.0.1-5050 and older

7.0.1-5051 and higher

NSsp 15700

7.0.1-R579 and older

Mid-April (Hotfix build 7.0.1-5030-HF-R844)

NSv 10, NSv 25, NSv 50, NSv 100, NSv 200, NSv 300,
NSv 400, NSv 800, NSv 1600 and earlier and higher

Recommendations for CVE-2022-22247

Arctic Wolf strongly recommends organisations who are using impacted firewalls, follow the guidance provided by either patching or implementing the available workarounds.

Recommendation #1: Patch Affected Firewalls Products

Apply applicable ‘Fixed Version’ patch, from the table above, to the affected SonicWall products.

Recommendation #2: Implement Vendor Provided Workarounds

Until the appropriate patches can be applied, SonicWall PSIRT strongly recommends that administrators limit SonicOS management access to trusted sources and/or disable management access from untrusted internet sources. The workarounds below detail how to modify the existing SonicOS Management access rules (SSH/HTTPS/HTTP Management). This will only allow management access from trusted source IP addresses.


1. Resolved RCE in Sophos Firewall (CVE-2022-1040)

2. MITRE: CVE-2022-1040

3. Device Access – Sophos Firewall (CVE-2022-1040)

4. Service and Support(CVE-2022-1040) – KB-000043853

5. SonicWall CVE-2022-22274 Advisory

6. SonicWall Knowledge Base Article on Vulnerability (CVE-2022-22274)

7. SonicWall Knowledge Base –1– (CVE-2022-22274)

8. SonicWall Knowledge Base –2– (CVE-2022-22274)

Picture of Adrian Korn

Adrian Korn

Adrian Korn is a seasoned cyber security professional with 7+ years' experience in cyber threat intelligence, threat detection, and security operations. He currently serves as the Manager of Threat Intelligence Research at Arctic Wolf Labs. Adrian has been a guest speaker on intelligence related topics at numerous conferences around the world, including DEF CON's Recon Village, Hackfest, and the Australian OSINT Symposium.
Share :
Table of Contents