Sophos warns of a new actively exploited flaw in Firewall product

Pierluigi Paganini September 23, 2022

Sophos warns that a critical code injection security vulnerability in its Firewall product is actively exploited in the wild.

Sophos warns of a critical code injection security vulnerability, tracked as CVE-2022-3236, affecting its Firewall product which is being exploited in the wild.

The CVE-2022-3236 flaw resides in the User Portal and Webadmin of Sophos Firewall, its exploitation can lead to code execution (RCE).

“A code injection vulnerability allowing remote code execution was discovered in the User Portal and Webadmin of Sophos Firewall. The vulnerability has been fixed.” reads the advisory published by the security firm. “Sophos has observed this vulnerability being used to target a small set of specific organizations, primarily in the South Asia region. We have informed each of these organizations directly. Sophos will provide further details as we continue to investigate.”

The company addressed the issue with the released Firewall v19.0 MR1 (19.0.1) and older, it also provided workaround by recommending customers not expose User Portal, and Webadmin to WAN and disable WAN access to the User Portal and Webadmin. The company recommends to use VPN and/or Sophos Central (preferred) for remote access and management.

Customers using older Firewall versions would have to upgrade to a supported version.

In March, the security firm fixed another vulnerability, tracked as CVE-2022-1040, that resides in the User Portal and Webadmin areas of Sophos Firewall.

The CVE-2022-1040 flaw received a CVSS score of 9.8 and impacts Firewall versions 18.5 MR3 (18.5.3) and earlier. The vulnerability was reported to the security firm by an unnamed security researcher via its bug bounty program.

A remote attacker with access to the Firewall’s User Portal or Webadmin interface can exploit the flaw to bypass authentication and execute arbitrary code.

Sophos Firewall User Portal interface
Source Sophos community

The experts warned that the CVE-2022-1040 flaw was actively exploited in attacks aimed at a small set of Asian organizations.


Sophos has addressed the issue with the release of the following hotfixes:

  • Hotfixes for the following versions published on September 21, 2022:
    • v19.0 GA, MR1, and MR1-1
    • v18.5 GA, MR1, MR1-1, MR2, MR3, and MR4
  • Hotfixes for the following versions published on September 23, 2022:
    • v18.0 MR3, MR4, MR5, and MR6
    • v17.5 MR12, MR13, MR14, MR15, MR16, and MR17
    • v17.0 MR10
  • Fix included in v18.5 MR5 (18.5.5), v19.0 MR2 (19.0.2), and v19.5 GA
  • Users of older versions of Sophos Firewall are required to upgrade to receive the latest protections, and this fix

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, RCE)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment