More than 99% of internet-facing Sophos Firewall appliances were found to be vulnerable to a critical zero-day issue that was fixed in September 2022.

Tracked as CVE-2022-3236, the issue stems from improper input validation in the User Portal and Webadmin interfaces of Sophos Firewall, and allows a remote non-authenticated attacker execute arbitrary code on the target system via a specially crafted request. The vulnerability affects Sophos Firewall v19.0 MR1 (19.0.1) and older. Sophos released hotfixes for a variety of them, and has included the fix in v18.5 MR5 (18.5.5), v19.0 MR2 (19.0.2), and v19.5 GA.

According to Sophos, this bug was exploited in attacks targeting a small set of specific organizations, primarily in the South Asia region. Last August, the vendor disclosed another zero-day (CVE-2022-1040) in the same component, which was also used in attacks targeting organizations in South Asia.

While performing an internet scan researchers at security firm VulnCheck found that over 99% of all internet-connected Sophos firewalls are still vulnerable to CVE-2022-3236.

“But around 93% are running versions that are eligible for a hotfix, and the default behavior for the firewall is to automatically download and apply hotfixes (unless disabled by an administrator),” the company notes. “That still leaves more than 4,000 firewalls (or about 6% of internet-facing Sophos Firewalls) running versions that didn't receive a hotfix and are therefore vulnerable.”

VulnCheck says that there appears to be no public proof of concept (PoC) exploits for CVE-2022-3236, but it’s only a matter of time before PoCs become available.