CVE-2022-3236: Official Patch Out Now for Remote Code Execution Vulnerability in Sophos Firewall

Share :

On Friday, 23 September 2022, Sophos disclosed a critical code injection vulnerability impacting Sophos Firewall. This vulnerability, assigned CVE-2022-3236, affects Sophos Firewall versions v19.0 MR1 (19.0.1) and older and could lead to remote code execution. In order for a threat actor to exploit this vulnerability, WAN access would need to be enabled for the Webadmin and User Portal consoles.  

Arctic Wolf has observed public proof of concept (PoC) exploit code being published for this vulnerability, however, they were promptly removed from code sharing platforms. Sophos claims they have observed active exploitation of this vulnerability in a small set of organizations in the South Asia region.

Furthermore, threat actors have opportunistically targeted this vulnerability since the initial disclosure in September 2022 and CISA added CVE-2022-3236 to their Known Exploited Vulnerabilities Catalog in September. We strongly recommend applying the relevant security patches to impacted devices to remediate the vulnerability and prevent potential exploitation.  

Note: In addition to CVE-2022-3236, Sophos Firewall v19.5 GA patches six other vulnerabilities, including CVE-2022-3226 (High severity OS command injection vulnerability) and CVE-2022-3713 (High severity code injection vulnerability).  

Recommendations CVE-2022-3236

Arctic Wolf sent a bulletin with hotfix remediation recommendations on September 26th for this Sophos vulnerability.

Sophos has since released an official patch for CVE-2022-3236 on 6 December 2022. Arctic Wolf strongly recommends updating to the latest, patched version of Sophos Firewall. For customers who are running older versions than what has been patched, Sophos recommends upgrading Sophos Firewall to receive the latest protections, influencing this fix. 

Recommendation #1: Apply the Patch (v19.5 GA) to Sophos Firewall 

Sophos has released an official patch for CVE-2022-3236, as well as a number of other High severity vulnerabilities in Sophos Firewall v19.5 GA release. We recommend upgrading to this version as soon as possible as per your organization’s patching cadence.  

Recommendation #2: Disable WAN Access to User Portal & Webadmin 

Sophos recommends disabling WAN access to the User Portal and Webadmin consoles by following device access best practices. Instead, the use of a VPN and/or Sophos Central is suggested to be used for remote access and management. 


James Liolios

James Liolios

James Liolios is a Senior Threat Intelligence Researcher at Arctic Wolf, where he keeps a watchful eye on the latest threats and threat actors to understand the potential impact to Arctic Wolf customers. He has a background of 9 years' experience in many areas of cybersecurity, holds a bachelor's degree in Information Security, and is also CISSP certified.
Share :
Table of Contents