CVE-2022-3236: Critical 0-day Sophos Firewall RCE Vulnerability

On September 23, British-based cybersecurity vendor Sophos published a security advisory about CVE-2022-3236, a code injection vulnerability that affects the User Portal and Webadmin of Sophos Firewall and could be exploited to execute arbitrary code remotely.

The flaw received a critical severity rating and is now actively exploited in attacks.

“Sophos has observed this vulnerability being used to target a small set of specific organizations, primarily in the South Asia region. We have informed each of these organizations directly. Sophos will provide further details as we continue to investigate,” the company said in an advisory.

The security hole impacts Sophos Firewall version v19.0 MR1 (19.0.1) and older. Sophos announced the availability of hotfixes for multiple Firewall versions, including:

• Hotfixes for the following versions were published on September 21, 2022:
  • v19.0 GA, MR1, and MR1-1
  • v18.5 GA, MR1, MR1-1, MR2, MR3, and MR4
• Hotfixes for the following versions were published on September 23, 2022:
  • v18.0 MR3, MR4, MR5, and MR6
  • v17.5 MR12, MR13, MR14, MR15, MR16, and MR17
  • v17.0 MR10
• Fix included in v18.5 MR5 (18.5.5), v19.0 MR2 (19.0.2), and v19.5 GA

The CVE-2022-3236 has been addressed in a hotfix that’s automatically installed for customers who have the “Allow automatic installation of hotfixes” setting enabled. Also, Sophos is recommending that users disable WAN access to the User Portal and Webadmin interfaces, and instead use VPN and/or Sophos Central for remote access and management.

“Users of older versions of Sophos Firewall are required to upgrade to receive the latest protections, and this fix,” Sophos said.