Sophos Firewall zero-day bug exploited weeks before fix

Chinese hackers used a zero-day exploit for a critical-severity vulnerability in Sophos Firewall to compromise a company and breach cloud-hosted web servers operated by the victim.

On March 25, Sophos published a security advisory about CVE-2022-1040, an authentication bypass vulnerability that affects the User Portal and Webadmin of Sophos Firewall and could be exploited to execute arbitrary code remotely.

This week, cybersecurity company Volexity detailed an attack from a Chinese advanced persistent threat group they track as DriftingCloud, which exploited CVE-2022-1040 since early March, a little over three weeks before Sophos released a patch.

The adversary used the zero-day exploit to compromise the firewall to install webshell backdoors and malware that would enable compromising external systems outside the network protected by Sophos Firewall.

The researchers say that gaining access to Sophos Firewall was the first step of the attack, allowing the adversary to perform man-in-the-middle activity by way of modifying DNS responses for specific websites managed by the victim company.

Sophos provided hotfixes that address CVE-2022-1040 automatically as well as mitigations that help organizations using its firewall protect against exploiting the vulnerability.

Share this article on social media:

Subscribe to Our Newsletter!
Stay on top of cybersecurity risks, evolving threats and industry news.

The Latest Cybersecurity News

From major cyberattacks, newly discovered critical vulnerabilities to recommended best practices, read it here first:

Tell us about your needs.
Get an answer the same business day.

Tell us about your needs.
Get an answer the same business day.

Fill out the form below and get an answer from our experts within 1 business day.

Got an urgent request? Call us at 1-877-805-7475 or Book a meeting.


What happens next:

  • We reach out to learn about your objectives
  • We work together to define your project's scope
  • You get an all-inclusive, no engagement proposal

This field is for validation purposes and should be left unchanged.
Scroll to Top


Enter Your
Corporate Email

This site is registered on as a development site.