Home / Threat Intelligence bulletins / Sophos remote code execution vulnerability under active exploitation

Target Industry

While exploitation against this vulnerability was initially targeted at specific organisations within the South Asia region, it is expected that this will move to indiscriminate and opportunistic targeting.


Severity level: Critical – base score 9.8 out of 10.

A remote code execution (RCE) vulnerability has been detected in the User Portal and Webadmin portal of Sophos Firewalls. This vulnerability is being tracked under CVE-2022-3236.

CVE-2022-3236 has been added to the CISA known exploited vulnerability catalogue.


Successful exploitation of this vulnerability grants a threat actor with the ability to run arbitrary code on a Sophos device.

Vulnerability Detection

Detection of Sophos Firewall v19.0 MR1 (19.0.1) and older within an organisation.

Affected Products

Sophos Firewall v19.0 MR1 (19.0.1) and older

Containment, Mitigations & Remediations

To remediate this vulnerability it is recommended that affected Sophos devices are updated to the latest supported version:

  • v19.5 GA
  • v19.0 MR2 (19.0.2)
  • v19.0 GA, MR1, and MR1-1
  • v18.5 MR5 (18.5.5)
  • v18.5 GA, MR1, MR1-1, MR2, MR3, and MR4
  • v18.0 MR3, MR4, MR5, and MR6
  • v17.5 MR12, MR13, MR14, MR15, MR16, and MR17
  • v17.0 MR10

It is also recommended that, as a mitigation to this vulnerability, the User Portal and Webadmin portal are not exposed to the internet.

Indicators of Compromise

No current IOCs have been released.

Threat Landscape

Opportunistic threats such as these will almost certainly continue to be exploited by malicious threat actors as the vulnerabilities are discovered and shared across online forums.

Threat Group

This attack has not been attributed to any specific threat actor group.

Mitre Methodologies

T1190 – Exploit Public-Facing Application
T1133 – External Remote Services

Further Information

Sophos Security Advisory


CISA known exploited vulerability catalogue