Sophos Firewall RCE vulnerability (CVE-2022-3236) exploited the wild

Sophos has fixed a Sophos Firewall remote code execution (RCE) vulnerability (CVE-2022-3236) exploited in the wild.

The Cybersecurity and Infrastructure Security Agency (CISA) also added the Sophos flaw to its Known Exploited Vulnerabilities Catalog on September 22, 2022.

“Sophos has observed this vulnerability being used to target a small set of specific organizations, primarily in the South Asia region. We have informed each of these organizations directly. Sophos will provide further details as we continue to investigate,” Sophos stated in the advisory.

According to Sophos, a Critical severity code injection vulnerability (CVE-2022-3236) could allow remote code execution in the User Portal and Webadmin of Sophos Firewall. Sophos has since fixed the vulnerability. Furthermore, firewalls configured with the “allow automatic installation of hotfixes” enabled will not require user intervention to get the update.

The Sophos flaw has a CVSS score of 9.8 and affects Sophos Firewall v19.0 MR1 (19.0.1) and older.

Moreover, Sophos recommends customers can further protect exposure by not exposing the firewall User Portal and Webadmin to the WAN or internet. Users should instead follow device access best practices by using VPN and/or Sophos Central (preferred) for remote access and management.

Readers may also recall earlier this year when Sophos fixed another exploited vulnerability CVE-2022-1040 (CVSS score 9.8) on March 25, 2022. The exploited Critical authentication bypass flaw also affected the User Portal and Webadmin of Sophos Firewall and was added to the CISA Exploited Vulnerabilities Catalog after Sophos. An attacker could exploit this issue and execute code remotely.

On a related note, CISA also added another vulnerability to its Exploited Vulnerabilities Catalog on September 22, 2022 – a Zoho ManageEngine RCE vulnerability (CVE-2022-35405).

Related Articles