Get in Touch
Please get in touch using the form below.
Sophos remote code execution vulnerability under active exploitation
Target Industry
While exploitation against this vulnerability was initially targeted at specific organisations within the South Asia region, it is expected that this will move to indiscriminate and opportunistic targeting.
Overview
Severity level: Critical – base score 9.8 out of 10.
A remote code execution (RCE) vulnerability has been detected in the User Portal and Webadmin portal of Sophos Firewalls. This vulnerability is being tracked under CVE-2022-3236.
CVE-2022-3236 has been added to the CISA known exploited vulnerability catalogue.
Impact
Successful exploitation of this vulnerability grants a threat actor with the ability to run arbitrary code on a Sophos device.
Vulnerability Detection
Detection of Sophos Firewall v19.0 MR1 (19.0.1) and older within an organisation.
Affected Products
Sophos Firewall v19.0 MR1 (19.0.1) and older
Containment, Mitigations & Remediations
To remediate this vulnerability it is recommended that affected Sophos devices are updated to the latest supported version:
- v19.5 GA
- v19.0 MR2 (19.0.2)
- v19.0 GA, MR1, and MR1-1
- v18.5 MR5 (18.5.5)
- v18.5 GA, MR1, MR1-1, MR2, MR3, and MR4
- v18.0 MR3, MR4, MR5, and MR6
- v17.5 MR12, MR13, MR14, MR15, MR16, and MR17
- v17.0 MR10
It is also recommended that, as a mitigation to this vulnerability, the User Portal and Webadmin portal are not exposed to the internet.
Indicators of Compromise
No current IOCs have been released.
Threat Landscape
Opportunistic threats such as these will almost certainly continue to be exploited by malicious threat actors as the vulnerabilities are discovered and shared across online forums.
Threat Group
This attack has not been attributed to any specific threat actor group.
Mitre Methodologies
T1190 – Exploit Public-Facing Application
T1133 – External Remote Services
Further Information
CISA known exploited vulerability catalogue