Get in Touch
Sophos remote code execution vulnerability under active exploitation
While exploitation against this vulnerability was initially targeted at specific organisations within the South Asia region, it is expected that this will move to indiscriminate and opportunistic targeting.
Severity level: Critical – base score 9.8 out of 10.
A remote code execution (RCE) vulnerability has been detected in the User Portal and Webadmin portal of Sophos Firewalls. This vulnerability is being tracked under CVE-2022-3236.
CVE-2022-3236 has been added to the CISA known exploited vulnerability catalogue.
Successful exploitation of this vulnerability grants a threat actor with the ability to run arbitrary code on a Sophos device.
Detection of Sophos Firewall v19.0 MR1 (19.0.1) and older within an organisation.
Sophos Firewall v19.0 MR1 (19.0.1) and older
Containment, Mitigations & Remediations
To remediate this vulnerability it is recommended that affected Sophos devices are updated to the latest supported version:
- v19.5 GA
- v19.0 MR2 (19.0.2)
- v19.0 GA, MR1, and MR1-1
- v18.5 MR5 (18.5.5)
- v18.5 GA, MR1, MR1-1, MR2, MR3, and MR4
- v18.0 MR3, MR4, MR5, and MR6
- v17.5 MR12, MR13, MR14, MR15, MR16, and MR17
- v17.0 MR10
It is also recommended that, as a mitigation to this vulnerability, the User Portal and Webadmin portal are not exposed to the internet.
Indicators of Compromise
No current IOCs have been released.
Opportunistic threats such as these will almost certainly continue to be exploited by malicious threat actors as the vulnerabilities are discovered and shared across online forums.
This attack has not been attributed to any specific threat actor group.
T1190 – Exploit Public-Facing Application
T1133 – External Remote Services
CISA known exploited vulerability catalogue