Sophos has addressed a critical vulnerability, CVE-2022-3236, in its Firewall, discovered to be actively exploited by hackers. This flaw involves a code injection issue in the User Portal and Webadmin of Sophos Firewall, potentially leading to remote code execution. Despite fixing the security concern in September 2022, Sophos found that over 4,000 internet-exposed appliances, many running end-of-life (EOL) firmware, remained vulnerable to attacks by January 2023.
In response to new exploit attempts against the same vulnerability in older, unsupported versions of Sophos Firewall, the company delivered an updated fix in December 2023. The patch was automatically applied to the 99% of affected organizations with the “accept hotfix” feature turned on. Sophos highlights the common practice among attackers to target EOL devices and firmware across various technology vendors. Consequently, organizations are strongly advised to upgrade their EOL devices and firmware to the latest supported versions to enhance security.
For users with disabled auto-update options, enabling it is recommended, followed by a verification check to ensure the hotfix is applied. Alternatively, organizations can manually update to specific versions of Sophos Firewall that address CVE-2022-3236. In cases where immediate updating is not feasible, Sophos suggests restricting WAN access to the User Portal and Webadmin, using VPN or Sophos Central for remote access and management. This incident underscores the ongoing challenges organizations face in maintaining security, especially when dealing with legacy or unsupported systems that remain attractive targets for cyber threats.
