Synopsis: Sophos backported a security update for CVE-2022-3236, which is a critical code injection flaw in the User Portal and Webadmin of Sophos Firewall that allows remote code execution.
Despite the initial fix in September 2022, active exploitation persisted and affected over 4,000 exposed appliances in January 2023, especially those with end-of-life firmware. A subsequent hotfix was delivered in December 2023 for older, unsupported versions of the firewall and automatically applied to devices set to auto-accept vendor security updates.
However, if auto-update has not been enabled, organizations are urged to enable it and verify that the hotfix has been applied, or update Sophos Firewall to a version that addresses CVE-2022-3236. If updating is not possible, restricting WAN access to User Portal and Webadmin and using VPN or Sophos Central for remote management is recommended.
Action: Ensure immediate application of the available hotfix for CVE-2022-3236 in Sophos Firewall and enable auto-update for vendor security patches where possible. Otherwise, restrict WAN access to User Portal and Webadmin and rely on VPN or Sophos Central for secure remote management.
Associated Articles:
Sophos backports RCE fix after attacks on unsupported firewalls
