Hackers are actively exploiting a new Sophos Firewall RCE vulnerability


Security software company Sophos has warned of cyberattacks targeting a recently fixed critical vulnerability in its firewall product.

The issue, tracked as CVE-2022-3236 (CVSS score: 9.8), affects Sophos Firewall v19.0 MR1 (19.0.1) and older and affects a code injection vulnerability in the user portal and web admin -Components that can lead to remote code execution.

The company said it “observed that this vulnerability was being used to target a small group of specific organizations, primarily in the South Asia region,” adding that it had notified those companies directly.

Internet security

As a workaround, Sophos recommends that users take steps to ensure that the user portal and webadmin are not exposed to the WAN. Alternatively, users can update to the latest supported version –

  • v19.5GA
  • v19.0 MR2 (19.0.2)
  • v19.0 GA, MR1 and MR1-1
  • v18.5 MR5 (18.5.5)
  • v18.5 GA, MR1, MR1-1, MR2, MR3 and MR4
  • v18.0 MR3, MR4, MR5 and MR6
  • v17.5 MR12, MR13, MR14, MR15, MR16 and MR17
  • v17.0 MR10

Users using older versions of Sophos Firewall need to upgrade to get the latest protections and relevant fixes.

The development marks the second time in a year that a Sophos Firewall vulnerability has been actively attacked. In early March this year, another bug (CVE-2022-1040) was exploited to target organizations in the South Asia region.

Internet security

Then, in June 2022, cybersecurity company Volexity shared more details of the attack campaign and pinned the intrusions to a Chinese Advanced Persistent Threat (APT) called DriftingCloud.

Sophos firewall appliances have also previously been attacked to deploy the so-called Asnarök Trojan in an attempt to steal confidential information.


About Author

Comments are closed.