The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Sophos firewall flaw and seven other issues to its Known Exploited Vulnerabilities Catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the recently disclosed CVE-2022-1040 flaw in the Sophos firewall, along with seven other issues, to its Known Exploited Vulnerabilities Catalog.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

The new vulnerabilities added to the catalog have to be addressed by federal agencies by April 21, 2022.

The CVE-2022-1040 is an authentication bypass vulnerability that resides in the User Portal and Webadmin areas of Sophos Firewall.

The vulnerability received a CVSS score of 9.8 and impacts Sophos Firewall versions 18.5 MR3 (18.5.3) and earlier. The vulnerability was reported to the security firm by an unnamed security researcher via its bug bounty program.

“An authentication bypass vulnerability allowing remote code execution was discovered in the User Portal and Webadmin of Sophos Firewall and responsibly disclosed to Sophos. It was reported via the Sophos bug bounty program by an external security researcher. The vulnerability has been fixed.” reads the advisory published by the company.

A remote attacker with access to the Firewall’s User Portal or Webadmin interface can exploit the flaw to bypass authentication and execute arbitrary code.

Source Sophos community

The security vendor pointed out that the hotfixes will be automatically installed on its devices by default.

The company also recommends customers avoid exposing their User Portal and Webadmin to WAN.

Sophos is also warning that the CVE-2022-1040 flaw in Sophos Firewall is actively exploited in attacks aimed at a small set of Asian organizations.

CISA also ordered federal agencies to patch a high severity arbitrary file upload vulnerability (CVE-2022-26871) in the Trend Micro Apex Central product management console that can be abused in remote code execution attacks.

On Tuesday, Trend Micro said it has observed “at least one active attempt of potential exploitation” of this vulnerability in the wild.

CISA added six more vulnerabilities to its Known Exploited Vulnerabilities Catalog today, all of them also exploited in ongoing attacks.

CISA also ordered federal agencies to patch an arbitrary file upload vulnerability in Trend Micro Apex Central (CVE-2022-26871) and a privilege escalation in Microsoft Windows (CVE-2021-34484).

Below is the list of recently added vulnerabilities:

CVE Vulnerability Name Due Date
CVE-2022-26871 Trend Micro Apex Central Arbitrary File Upload Vulnerability 2022-04-21
CVE-2022-1040 Sophos Firewall Authentication Bypass Vulnerability 2022-04-21
CVE-2021-34484 Microsoft Windows User Profile Service Privilege Escalation 2022-04-21
CVE-2021-28799 QNAP NAS Improper Authorization Vulnerability 2022-04-21
CVE-2021-21551 Dell dbutil Driver Insufficient Access Control Vulnerability 2022-04-21
CVE-2018-10562 Dasan GPON Routers Command Injection Vulnerability 2022-04-21
CVE-2018-10561 Dasan GPON Routers Authentication Bypass Vulnerability 2022-04-21
CVE-2014-6324 Microsoft Windows Kerberos KDC Privilege Escalation 2022-04-21

The CISA Catalog has reached a total of 609 entries with the latest added vulnerabilities.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, BazarLoader)