Skip to content

Search the site

Second critical Sophos Firewall bug exploited in wild

CVSS 9.8 vulnerability added to CISA "known exploited" catalogue

Hackers are exploiting a critical code injection vulnerability in Sophos Firewall the cybersecurity company says – the CVSS 9.8 remote code execution (RCE) bug was also added to CISA’s “known exploited” catalogue on Friday.

The bug is in the User Portal and Webadmin of Sophos Firewall and does not require authentication.

The Sophos Firewall vulnerability, allocated CVE-2022-3236, affects all versions from its recent v19.0 MR1 (19.0.1) back and has been used to attack what the company described as a “small set of specific organizations, primarily in the South Asia region” – it pushed out hotfixes on September 21 and September 23.

(No action is required for Sophos Firewall customers with the "Allow automatic installation of hotfixes" feature enabled on remediated versions, which is the default setting, albeit one often disabled to avoid update issues.)

Sophos did not say how the vulnerability was identified or reported, with no credit given in its advisory.

Another Sophos Firewall vulnerability exploited in March

It’s the second Sophos Firewall vulnerability to be actively exploited this year, after CVE-2022-1040 (also with a CVSS score of 9.8) was reported as under attack in March 2022. As with that earlier vulnerability, Sophos emphasised on September 23 that customers can “protect themselves from external attackers by ensuring their User Portal, and Webadmin are not exposed to WAN” and urged users to “disable WAN access to the User Portal and Webadmin… [and] use VPN and/or Sophos Central (preferred) for remote access and management.”

Customers can run system diagnostic show version-info from their console and if they see HF092122.1 or a later value, the hotfix has been applied, the cybersecurity company said in its advisory.

Firewalls from other security vendors have also been revealed as suffering from critical vulnerabilities that went on to be attacked in the wild this year. CVE-2022-30525, a pre-authentication, command injection vulnerability leading to full remote code execution (RCE) in numerous Zyxel firewall versions with a CVSS score of 9.8 that was reported by Rapid7 springs to mind, as does CVE-2022-1388, the CVSS 9.8 pre-auth RCE in F5’s BIG-IP suite of gateway/firewall services covered by The Stack here which went on to be widely exploited.

Follow The Stack on LinkedIn