Over 4,000 Sophos Firewall appliances exposed to Internet access are vulnerable to attacks targeting a critical remote code execution (RCE) vulnerability.
Sophos disclosed this code injection flaw (CVE-2022-3236) found in the User Portal and Webadmin of Sophos Firewall in September and also released hotfixes for multiple Sophos Firewall versions (official fixes were issued three months later, in December 2022).
The company warned at the time that the RCE bug was being exploited in the wild in attacks against organizations from South Asia.
The September hotfixes rolled out to all affected instances (v19.0 MR1/19.0.1 and older) since automatic updates are enabled by default — unless an administrator disabled the option.
Sophos Firewall instances running older product versions had to be upgraded manually to a supported version to receive the CVE-2022-3236 hotfix automatically.
Admins who cannot patch the vulnerable software can also remove the attack surface by disabling WAN access to the User Portal and Webadmin.
