18 January 2023

Thousands of Sophos Firewall devices still vulnerable to critical flaw


Thousands of Sophos Firewall devices still vulnerable to critical flaw

More than 99% of internet-facing Sophos Firewall appliances were found to be vulnerable to a critical zero-day issue that was fixed in September 2022.

Tracked as CVE-2022-3236, the issue stems from improper input validation in the User Portal and Webadmin interfaces of Sophos Firewall, and allows a remote non-authenticated attacker execute arbitrary code on the target system via a specially crafted request. The vulnerability affects Sophos Firewall v19.0 MR1 (19.0.1) and older. Sophos released hotfixes for a variety of them, and has included the fix in v18.5 MR5 (18.5.5), v19.0 MR2 (19.0.2), and v19.5 GA.

According to Sophos, this bug was exploited in attacks targeting a small set of specific organizations, primarily in the South Asia region. Last August, the vendor disclosed another zero-day (CVE-2022-1040) in the same component, which was also used in attacks targeting organizations in South Asia.

While performing an internet scan researchers at security firm VulnCheck found that over 99% of all internet-connected Sophos firewalls are still vulnerable to CVE-2022-3236.

“But around 93% are running versions that are eligible for a hotfix, and the default behavior for the firewall is to automatically download and apply hotfixes (unless disabled by an administrator),” the company notes. “That still leaves more than 4,000 firewalls (or about 6% of internet-facing Sophos Firewalls) running versions that didn't receive a hotfix and are therefore vulnerable.”

VulnCheck says that there appears to be no public proof of concept (PoC) exploits for CVE-2022-3236, but it’s only a matter of time before PoCs become available.


Back to the list

Latest Posts

Russia-linked Nodaria APT adds new Graphiron infostealer to its toolkit

Russia-linked Nodaria APT adds new Graphiron infostealer to its toolkit

The new infostealer was observed in attacks targeting Ukrainian organizations.
8 February 2023
CISA releases tool to recover encrypted VMware ESXi servers

CISA releases tool to recover encrypted VMware ESXi servers

According to CISA’s list of bitcoin addresses, over 2,800 ESXi servers have been encrypted to date.
8 February 2023
Threat actors target Ukrainian government agencies with Remcos spyware

Threat actors target Ukrainian government agencies with Remcos spyware

The attack involves a phishing email ostensibly sent by Ukrtelecom, a major Ukrainian internet service provider.
8 February 2023