Over 4,000 Sophos Firewall devices vulnerable to RCE attacks


Over 4,000 Sophos Firewall devices exposed to Internet access are vulnerable to attacks targeting a critical remote code execution (RCE) vulnerability.

Sophos disclosed this code injection flaw (CVE-2022-3236) found in the User Portal and Webadmin of Sophos Firewall in September and also released hotfixes for multiple Sophos Firewall versions (official fixes were issued three months later, in December 2022).

The company warned at the time that the RCE bug was being exploited in the wild in attacks against organizations from South Asia.

The September hotfixes rolled out to all affected instances (v19.0 MR1/19.0.1 and older) since automatic updates are enabled by default — unless an administrator disabled the option.

Sophos Firewall instances running older product versions had to be upgraded manually to a supported version to receive the CVE-2022-3236 hotfix automatically.

Admins who cannot patch the vulnerable software can also remove the attack surface by disabling WAN access to the User Portal and Webadmin.

Thousands of devices are still vulnerable

While scanning the Internet for Sophos Firewall devices, VulnCheck vulnerability researcher Jacob Baines found that out of more than 88,000 instances, around 6% or more than 4,000 are running versions that haven’t received a hotfix and are vulnerable to CVE-2022-3236 attacks.

“More than 99% of internet-facing Sophos Firewalls haven’t upgraded to versions containing the official fix for CVE-2022-3236,” Baines said.

“But around 93% are running versions that are eligible for a hotfix, and the default behavior for the firewall is to automatically download and apply hotfixes (unless disabled by an administrator).

“That still leaves more than 4,000 firewalls (or about 6% of internet-facing Sophos Firewalls) running versions that didn’t receive a hotfix and are therefore vulnerable.”

Luckily, despite already being exploited as a zero-day, a CVE-2022-3236 proof-of-concept exploit is yet to be published online.

However, Baines was able to reproduce the exploit from technical information shared by Trend Micro’s Zero Day Initiative (ZDI), so it is likely that threat actors will soon be able to as well.

When and if this happens, that will most likely lead to a new wave of attacks as soon as threat actors create a fully working version of the exploit and add it to their tool set.

Baines also added that mass exploitation would likely be hindered by Sophos Firewall requiring web clients by default “to solve a captcha during authentication.”

To workaround this limitation and reach the vulnerable code, attackers would have to include an automated CAPTCHA solver.

Sophos Firewall CAPTCHA challenge
Sophos Firewall CAPTCHA challenge (Jacob Baines)

​Sophos Firewall bugs previously targeted in attacks

Patching Sophos Firewall bugs is critically important, given that this wouldn’t be the first time such a vulnerability is exploited in the wild.

In March 2022, Sophos patched a similar critical Sophos Firewall bug (CVE-2022-1040) in the User Portal and Webadmin modules that enabled authentication bypass and arbitrary code execution attacks.

It was also exploited in attacks as a zero-day since early March (roughly three weeks before Sophos released patches) against South Asian organizations by a Chinese threat group tracked as DriftingCloud.

A zero-day in XG Firewall SQL injection was also abused by threat actors starting in early 2020 to steal sensitive data such as usernames and passwords using the Asnarök trojan malware.

The same zero-day was exploited to deliver Ragnarok ransomware payloads onto Windows enterprise networks.


Leave a Comment

Your email address will not be published. Required fields are marked *