Security software company Sophos has warned of cyberattacks targeting a recently fixed critical vulnerability in its firewall product.
The issue, tracked as CVE-2022-3236 (CVSS score: 9.8), affects Sophos Firewall v19.0 MR1 (19.0.1) and older and affects a code injection vulnerability in the user portal and web admin -Components that can lead to remote code execution.
The company said it “observed that this vulnerability was being used to target a small group of specific organizations, primarily in the South Asia region,” adding that it had notified those companies directly.
As a workaround, Sophos recommends that users take steps to ensure that the user portal and webadmin are not exposed to the WAN. Alternatively, users can update to the latest supported version –
- v19.0 MR2 (19.0.2)
- v19.0 GA, MR1 and MR1-1
- v18.5 MR5 (18.5.5)
- v18.5 GA, MR1, MR1-1, MR2, MR3 and MR4
- v18.0 MR3, MR4, MR5 and MR6
- v17.5 MR12, MR13, MR14, MR15, MR16 and MR17
- v17.0 MR10
Users using older versions of Sophos Firewall need to upgrade to get the latest protections and relevant fixes.
The development marks the second time in a year that a Sophos Firewall vulnerability has been actively attacked. In early March this year, another bug (CVE-2022-1040) was exploited to target organizations in the South Asia region.
Then, in June 2022, cybersecurity company Volexity shared more details of the attack campaign and pinned the intrusions to a Chinese Advanced Persistent Threat (APT) called DriftingCloud.
Sophos firewall appliances have also previously been attacked to deploy the so-called Asnarök Trojan in an attempt to steal confidential information.