Sophos Firewall (CVE-2022-3236)

Sophos Firewall, a network security device, has been found to have a vulnerability that could leave over 4,000 devices exposed to attacks. The vulnerability, a critical remote code execution (RCE) flaw (CVE-2022-3236) was discovered in September 2022, with hotfixes released for multiple versions of the Sophos Firewall. The company warned at the time that the RCE bug was being exploited in the wild in attacks against organisations from South Asia. VulnCheck vulnerability researcher Jacob Baines found that out of more than 88,000 instances of the device, around 6% or more than 4,000 are running versions that haven’t received a hotfix and are vulnerable to CVE-2022-3236 attacks.

Admins who are unable to patch the software can also remove the attack surface by disabling WAN access to the User Portal and Webadmin. While a proof-of-concept exploit for the vulnerability has yet to be published online, it is likely that threat actors will soon be able to reproduce the exploit from technical information shared by Trend Micro’s Zero Day Initiative (ZDI) and a new wave of attacks will occur. This is not the first time that a vulnerability in Sophos Firewall has been targeted in an attack. In March 2022, a similar critical Sophos Firewall bug (CVE-2022-1040) that enabled authentication bypass and arbitrary code execution attacks was exploited in a zero-day attack against South Asian organizations by a Chinese threat group known as DriftingCloud.