canjoena - stock.adobe.com
Critical Sophos Firewall bug under active exploitation
Sophos said the exploitation of the critical firewall vulnerability has, at this time, affected "an extremely small subset of organizations" predominantly located in South Asia.
Threat actors are targeting organizations using a newly disclosed critical bug in Sophos Firewall products.
Sophos disclosed the flaw, tracked as CVE-2022-3236, on Friday via a security advisory. The EDR vendor described it as a code injection bug capable of remote code execution and labeled it critical. Though the flaw has been patched, Sophos said in its disclosure that it had observed exploitation against "a small set of specific organizations," primarily in South Asia.
Sophos released hotfixes last week to patch the zero-day vulnerability. The vendor said no action is required for customers that have automatic updates enabled. Sophos Firewall versions 19.0 and older are considered vulnerable. The advisory also includes a workaround, which disables WAN access to the user portal and web admin console for Sophos Firewalls.
Asked for additional details about the exploitation's scope, a Sophos spokesperson told TechTarget Editorial that the exploitation affected "an extremely small subset of organizations" and that it was still being investigated.
"In these situations, speed to patch and responsible disclosure are essential," the spokesperson said.
Threat researcher Immanuel Chavoya tweeted Friday that he thought the flaw had a high chance of exploitation due to it being a code injection vulnerability.
RCE In Sophos Firewall exploited in the wild
— Immanuel Chavoya (@FullM3talPacket) September 23, 2022
CVE-2022-3236
This has a HIGH chance of mass exploitation, given the vulnerability is based on Code Injection (CWE-94) and if we look at the #CISA KEVs, at least 28 of those are Code Injection related...https://t.co/TUtBLbBeRQ pic.twitter.com/MgzXCWwgwr
CVE-2022-3236 is not the first Sophos Firewall vulnerability to be disclosed while under active exploitation. In 2020, Sophos disclosed a zero-day SQL injection bug impacting Sophos XG Firewall. Like this latest flaw, CVE-2020-12271 was capable of remote code execution.
Alexander Culafi is a writer, journalist and podcaster based in Boston.