cbcvebase.
CVE-2022-1040
published 2022-03-25

CVE-2022-1040: An authentication bypass vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v18.5 MR3 and older.

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-04-21
Exploited in the wild
EPSS
99.80%
100.0th percentile
An authentication bypass vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v18.5 MR3 and older.

Affected

2 ranges
VendorProductVersion rangeFixed in
sophossfos<= 18.5.3
sophossophos_firewallunspecified – 18.5 MR3

Detection & IOCsextracted from sources · hover to see the quote

filenamelibxselinux
filenamelibxselinux.so
ip192.46.213[.]63
ip134.122.129[.]102
domainapplestatic[.]com
hashf24158c5132943fbdeee4de4cedd063541916175434f82047b6576f86897b1cb
hash950ba2cc9b1dfaadf6919e05c854c2eaabbacb769b2ff684de11c3094a03ee88
ip111.90.139[.]122
filenameFctSec.exe
filenameSQLocalM86.exe
ip45.77.19[.]75
port110
hash028e07fa88736f405d24f0d465bc789c3bcbbc9278effb3b1b73653847e86cf8
filenamedcnx18pwh.wmf
bytes
XOR key: B2 A6 6D FF
  • Flag presence of libsophos.so being loaded via LD_PRELOAD on Sophos XG firewall devices — Pygmy Goat leverages this library for rootkit persistence.
  • Detect GoMet persistence technique: the malware replaces existing goodware autorun executables rather than creating new autorun registry entries, and creates fake Windows Update scheduled tasks.
  • Alert on Sophos CVE-2022-1040 exploitation scanning activity — GreyNoise observed 357,762 sessions (+71.2%) in a single week with three consecutive weeks of escalation, indicating active mass exploitation.
  • Detect BEHINDER webshell framework usage on Sophos Firewall: look for large base64-encoded POST bodies to login.jsp and other portal URLs, consistent with BEHINDER's communication pattern.
  • ·The malicious SessionCheckFilter.class webshell was timestomped by the attacker to match the modification timestamps of legitimate files in the same directory — file timestamp-based detection will not reliably identify this backdoor.
  • ·The binary dropped via pre_install.sh was absent from the C2 server at time of analysis and not present in memory or on disk — defenders may not be able to recover the payload for analysis in all cases.
  • ·At least 3 distinct Chinese state-sponsored threat groups had access to the CVE-2022-1040 exploit prior to public disclosure, indicating a shared exploit pipeline — attribution based on TTPs alone may be insufficient to distinguish between groups.
  • ·The GoMet C2 certificate (SHA-1: 9b5e112e683a3605c9481d8f565cfb3b7e2feab7) is self-signed and was issued April 4, 2021 — TLS certificate validation will not flag this as untrusted in all environments without explicit pinning or inspection.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.