September 25, 2022
Sophos Patches an Actively Exploited RCE Firewall Vulnerability
Sophos has released a security advisory addressing a critical remote code Injection vulnerability affecting several firewall models, allowing unauthenticated attackers to preform remote code execution.
- CVE-2022-3236 (CVSS:9.8 – critical) – A remote code injection vulnerability in the User Portal and Webadmin components, affects Sophos Firewall versions 19.0 MR1 (19.0.1) and earlier.
Successful Exploitation could allow an attacker to gain full access to devices and the internal corporate networks, leading to remote code execution.
The following Sophos firewall series are affected:
- v19.0 GA, MR1, and MR1-1
- v18.5 GA, MR1, MR1-1, MR2, MR3, and MR4
- v18.0 MR3, MR4, MR5, and MR6
- v17.5 MR12, MR13, MR14, MR15, MR16, and MR17
- v17.0 MR10
CYREBRO recommends implementing the latest available hotfixes and patches for relevant products as described in the official advisory.
Please note that if the “Allow automatic installation of hotfixes” setting in Sophos Firewall is enabled (it is enabled by default), no further action is required.
If mitigation is currently impossible, disable WAN access to the User Portal and ‘Webadmin’ by following device access best practices and instead use VPN and/or Sophos Central for remote access and management.
References: Sophos Advisory