Back to Intelligence

CVE-2026-3982: Sophos Firewall Active Exploitation — Detection and Hardening Guide

SA
Security Arsenal Team
May 4, 2026
6 min read

The SANS Internet Storm Center (ISC) Stormcast for Monday, May 4th, 2026, has raised the alarm regarding active exploitation of a critical vulnerability in Sophos Firewall appliances. Tracked as CVE-2026-3982, this vulnerability is a pre-authentication Remote Code Execution (RCE) flaw affecting the User Portal and Webadmin interfaces.

Defenders need to act immediately. This is not a theoretical risk; ISC handlers have confirmed widespread scanning and exploitation attempts in the wild. Successful exploitation allows attackers to bypass authentication and execute arbitrary code as the "root" user, leading to complete device compromise, lateral movement, and potential ransomware deployment.

Technical Analysis

  • Affected Products: Sophos Firewall v19.0 MR1 and older versions.
  • CVE Identifier: CVE-2026-3982 (CVSS 9.8, Critical).
  • Vulnerability Type: Pre-authentication Remote Code Execution (RCE) via SQL injection in the User Portal/Webadmin components.
  • Attack Chain:
    1. Recon: Attacker scans TCP ports 443 (HTTPS) or 8080.
    2. Exploit: Attacker sends a specially crafted HTTP POST request to the /webconsole/WEB-INF/classes/ or similar endpoint (specifics vary by bypass technique) containing a malicious SQL injection payload.
    3. Execution: The SQLi triggers a deserialization flaw or command injection, spawning a reverse shell or writing a webshell.
    4. Persistence: Attacker modifies system configuration or installs rootkits to maintain access.
  • Exploitation Status: CONFIRMED ACTIVE EXPLOITATION. CISA has added this to the Known Exploited Vulnerabilities (KEV) catalog.

Detection & Response

Given the active status of this threat, detection must focus on identifying the initial exploitation attempt and the subsequent suspicious processes spawned on the firewall (if accessible via logging agents) or the anomaly in HTTP requests.

SIGMA Rules

YAML
---
title: Sophos Firewall CVE-2026-3982 Exploitation Attempt
id: 9d8e7c6a-5b43-4f12-a11c-9e8d7f6a5b12
status: experimental
description: Detects potential exploitation of CVE-2026-3982 against Sophos Firewall User Portal/Webadmin based on known SQLi patterns in URI parameters.
references:
  - https://isc.sans.edu/diary/rss/32946
author: Security Arsenal
date: 2026/05/04
tags:
  - attack.initial_access
  - attack.t1190
  - cve.2026.3982
logsource:
  category: webserver
  product: sophos
detection:
  selection:
    c-uri|contains:
      - 'webconsole'
      - 'userportal'
    cs-method: POST
    c-uri-query|contains:
      - 'UNION SELECT'
      - 'concat(0x'
      - 'DROP TABLE'
      - ';exec('
  condition: selection
falsepositives:
  - Penetration testing activity
level: critical
---
title: Sophos Firewall Suspicious Root Process Spawn
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
status: experimental
description: Detects suspicious process execution on the underlying Linux OS of the firewall following exploitation (e.g., curl, wget, or bash spawned by the web service account).
references:
  - https://isc.sans.edu/diary/rss/32946
author: Security Arsenal
date: 2026/05/04
tags:
  - attack.execution
  - attack.t1059.004
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    ParentImage|endswith:
      - '/httpd'
      - '/nginx'
    Image|endswith:
      - '/bin/sh'
      - '/bin/bash'
      - '/usr/bin/curl'
      - '/usr/bin/wget'
      - '/usr/bin/python'
    User|contains:
      - 'nobody'
      - 'www-data'
  condition: selection
falsepositives:
  - Legitimate administrative debugging
level: high

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious SQLi patterns in Sophos Firewall Proxy Logs
// Adjust table names based on your specific ingestion format (e.g., CommonSecurityLog, SophosFirewall)
SophosFirewall
| where TimeGenerated > ago(7d)
| where ActionType contains "web"
| where DestinationPort in (443, 8080)
| where RequestURL has "webconsole" or RequestURL has "userportal"
| where RequestMethod == "POST"
| extend QueryParams = extract_all(@"(\?[^\s]+)", RequestURL)[0]
| where isnotempty(QueryParams)
| where QueryParams has_any ("UNION", "SELECT", "DROP", "exec", "0x", "script")
| project TimeGenerated, SourceIP, DestinationIP, RequestURL, RequestMethod, QueryParams
| summarize count() by SourceIP, RequestURL
| order by count_ desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for evidence of webshell or payload creation on Linux-based appliances
-- This requires Velociraptor deployed on the endpoint (rare for firewalls, but possible for hosted/VM instances)
SELECT FullPath, Size, ModTime, Mode
FROM glob(globs="/tmp/*", root="/")
WHERE ModTime > now() - 24h
  AND (Name =~ "sh\." OR Name =~ "\.py" OR Name =~ "\.php")
  AND Mode != "0644" -- Look for executable permissions on temp files

-- Hunt for active network connections to non-standard C2 ports established by root/web user
SELECT Fd, Family, Type, RemoteAddr, State, Pid, Username, StartTime
FROM netstat()
WHERE RemoteAddr != "0.0.0.0" AND RemoteAddr != "::"
  AND RemotePort > 1024
  AND Username IN ("root", "nobody", "www-data")
  AND StartTime > now() - 1h

Remediation Script (Bash)

Note: This script is intended for security administrators managing the logs or a jump host, or to be adapted as a temporary mitigation on the device if CLI access is available. For Sophos firewalls, the primary remediation is a firmware update.

Bash / Shell
#!/bin/bash
# Temporary Mitigation for CVE-2026-3982
# Disables WAN access to User Portal and Webadmin if not explicitly allowed.
# WARNING: Run this only in the Sophos Firewall CLI shell or via SSH.
# Ensure you have a backup configuration before running.

LOG_FILE="/var/log/cve_2026_3982_mitigation.log"
echo "Starting mitigation for CVE-2026-3982 at $(date)" >> $LOG_FILE

# Check if running as root (expected on firewall)
if [ "$EUID" -ne 0 ]; then
  echo "Please run as root." >> $LOG_FILE
  exit 1
fi

# Block external access to User Portal on port 443
# Replace 'eth1' with your actual WAN interface name
iptables -I INPUT 1 -i eth1 -p tcp --dport 443 -j DROP
if [ $? -eq 0 ]; then
    echo "Rule added: Blocked external TCP 443 on WAN interface." >> $LOG_FILE
else
    echo "Failed to add rule for TCP 443." >> $LOG_FILE
fi

# Block external access to Webadmin on port 8080
iptables -I INPUT 2 -i eth1 -p tcp --dport 8080 -j DROP
if [ $? -eq 0 ]; then
    echo "Rule added: Blocked external TCP 8080 on WAN interface." >> $LOG_FILE
else
    echo "Failed to add rule for TCP 8080." >> $LOG_FILE
fi

echo "Mitigation complete. Verify rules with: iptables -L -n -v" >> $LOG_FILE

Remediation

Immediate Actions:

  1. Patch Immediately: Upgrade to Sophos Firewall v19.5 MR2 or later. This build contains the fix for CVE-2026-3982.
  2. Mitigation (If patching is delayed):
    • Disable WAN access to the User Portal and Webadmin interfaces. Ensure these are only accessible via VPN or internal LAN.
    • Verify your firewall rules to ensure that management ports (TCP 443, 8080) are not exposed to the internet.
  3. Thunt for Compromise:
    • Review logs for successful logins from unfamiliar IPs.
    • Check for the creation of new local administrator accounts (common post-exploitation step).

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

mdrthreat-huntingendpoint-detectionsecurity-monitoringsophoscve-2026-3982rcefirewall

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action