This article is more than 1 year old

Sophos fixes critical firewall hole exploited by miscreants

Code-injection bug in your network security... mmm, yum yum

A critical code-injection vulnerability in Sophos Firewall has been fixed — but not before miscreants found and exploited the bug.

The flaw, tracked as CVE-2022-3236, exists in the User Portal and Webadmin components of the firewall in versions 19.0 and older. While it hasn't been issued a CVSS severity score, Sophos deemed it "critical" and noted that it allowed for remote code execution.

"Sophos has observed this vulnerability being used to target a small set of specific organizations, primarily in the South Asia region," the vendor noted in an advisory this month. "We have informed each of these organizations directly."

The British security software vendor issued hotfixes for supported versions (v17.0 through v19.0) last week, and also provided a workaround, which included disabling WAN access to the User Portal and Webadmin.

Sophos also said it's continuing to investigate, and will provide additional details at a later date.

As of Tuesday, the security shop's blogs, which regularly detail vulnerabilities and exploits affecting other software vendors, hadn't mentioned its own critical firewall bug.

Other software vendors and security researchers, however, did weigh in on the Sophos bug, with one warning that there's a "high" chance of mass exploitation. At least 28 of CISA's Known Exploited Vulnerabilities involve code injection, Immanuel Chavoya tweeted:

And while Sophos hasn't yet said who it believes exploited the bug to target South Asian organizations, Chinese state-sponsored criminals were behind earlier attacks this year that involved a critical flaw in Sophos Firewall.

Just last week, Recorded Future published research on multiple campaigns it attributed to Beijing-linked crews, who were seen abusing a programming error in Sophos Firewall that the software vendor fixed in April. 

That earlier critical remote code execution vulnerability, tracked as CVE-2022-1040, was also used to target South Asian organizations. According to Recorded Future, at least three Chinese state-sponsored groups exploited this bug to gain initial unauthorized access into victims' networks.

Sophos, in its own investigation published in June, reported at least two advanced persistent threat groups exploited CVE-2022-1040 before it was able to issue a patch. The flaw had been used to deploy malware on infected devices.

The software nasty, among other nefarious activities, allowed the attackers to install backdoor tools and steal sensitive data; write, read and manipulate files and settings on compromised devices; and, in some cases, gain complete control over the environment in which it was running. ®

More about


Send us news

Other stories you might like