Enterprotect, a cybersecurity company, is issuing a threat advisory on a critical remote code execution (RCE) vulnerability found in the User Portal and Webadmin of Sophos Firewall devices. The vulnerability, identified as CVE-2022-3236, was disclosed by Sophos in September 2022 and hotfixes were released for multiple versions of the firewall. However, thousands of devices are still vulnerable to attacks and have yet to receive the hotfix.

What is the Threat?

The threat is a code injection flaw (CVE-2022-3236) found in the User Portal and Webadmin of Sophos Firewall devices. The vulnerability allows for remote code execution and has been exploited in the wild in attacks against organizations in South Asia.

Why is it Noteworthy?

This vulnerability is noteworthy because it is a critical flaw that allows for remote code execution and has already been exploited in the wild. Additionally, thousands of devices are still vulnerable to attack despite the hotfixes being released.

What is the Exposure or Risk?

The exposure or risk is that thousands of Sophos Firewall devices that are exposed to Internet access are vulnerable to attacks targeting the RCE vulnerability. This vulnerability can be used to gain access to and control the affected devices and potentially access sensitive information.

What are the Recommendations?

Enterprotect recommends that all Sophos Firewall device administrators ensure that their devices are running a supported version and have received the hotfix for CVE-2022-3236. If a device is unable to be patched, administrators should remove the attack surface by disabling WAN access to the User Portal and Webadmin. Additionally, administrators should be aware that similar vulnerabilities have been exploited in the past and should stay vigilant for updates and patches from Sophos.

References

• https://vulncheck.com/blog/sophos-cve-2022-3236