CVE-2022-1807 in Sophos
Summary
by MITRE • 09/07/2022
Multiple SQLi vulnerabilities in Webadmin allow for privilege escalation from admin to super-admin in Sophos Firewall older than version 18.5 MR4 and version 19.0 MR1.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/17/2025
The vulnerability identified as CVE-2022-1807 represents a critical security flaw within Sophos Firewall's Webadmin interface that enables unauthorized privilege escalation through multiple SQL injection vulnerabilities. This weakness specifically affects versions prior to Sophos Firewall 18.5 MR4 and 19.0 MR1, creating a significant risk for organizations relying on these older implementations. The vulnerability stems from inadequate input validation and sanitization within the web administration component, allowing malicious actors to manipulate database queries through crafted inputs. The security implications extend beyond simple data theft, as successful exploitation grants attackers the ability to elevate their privileges from standard administrator level to super-administrator level, effectively providing complete control over the firewall's configuration and operations. This privilege escalation capability directly violates the principle of least privilege and undermines the fundamental security model of the device.
The technical execution of this vulnerability involves exploiting SQL injection points within the Webadmin interface where user-supplied parameters are directly incorporated into database queries without proper sanitization or parameterization. Attackers can leverage these injection points to manipulate the underlying database operations and gain elevated access rights. The flaw operates at the application layer and specifically targets the authentication and authorization mechanisms within the Sophos Firewall's web interface. According to CWE classification, this vulnerability maps to CWE-89 SQL Injection, which is categorized under the OWASP Top Ten as a critical security risk. The attack vector requires an authenticated session with administrative privileges, making it particularly dangerous as it allows for privilege escalation rather than simple data access. The vulnerability's impact is amplified by the fact that it requires minimal additional effort beyond initial authentication to achieve super-administrator access.
The operational impact of CVE-2022-1807 extends far beyond the immediate technical compromise of individual devices. Organizations running affected Sophos Firewall versions face potential complete network compromise, as super-administrator access enables modification of firewall rules, access control lists, and security policies. This vulnerability creates a persistent backdoor that could allow attackers to maintain long-term access to network infrastructure while evading detection through legitimate administrative channels. The risk of lateral movement within the network increases significantly as attackers can modify firewall configurations to redirect traffic or disable security controls. From an ATT&CK framework perspective, this vulnerability maps to privilege escalation techniques and enables adversaries to establish persistence within network infrastructure. The attack surface expands to include potential data exfiltration, network reconnaissance, and modification of critical security controls, making this vulnerability particularly dangerous for organizations with limited network segmentation or monitoring capabilities.
Mitigation strategies for CVE-2022-1807 primarily focus on immediate patch deployment to versions 18.5 MR4 and 19.0 MR1 or later, which contain the necessary security fixes. Organizations should conduct comprehensive vulnerability assessments to identify all affected devices and prioritize remediation efforts based on network criticality and exposure levels. Network segmentation and access control measures should be strengthened to limit the potential impact of successful exploitation attempts. Implementation of web application firewalls and database activity monitoring can provide additional layers of defense, though these are not substitutes for proper patch management. Security teams should also review and audit existing administrative accounts to ensure that only necessary personnel have access to the affected administrative interfaces. Regular security testing and penetration testing should be conducted to identify similar vulnerabilities in other network infrastructure components, as SQL injection remains a prevalent threat vector across various platforms and applications. The vulnerability underscores the importance of maintaining up-to-date security patches and implementing robust security monitoring practices to detect and respond to exploitation attempts.