More than 4,000 Sophos Firewall devices are vulnerable to RCE attacks

Attacks targeting remote code execution (RCE), which are possible on over 4,000 Sophos Firewall devices that have internet access, expose them to vulnerability.

Sophos revealed this flaw in code injection ( ) in the User Portal of Sophos Firewall in September. They also issued hotfixes to multiple Sophos Firewall version (official fixes were released in December 20022).

At the time, the company stated that the RCE bug could be attacks on South Asian organizations.

All affected instances were notified of the September hotfixes. Automatic updates are disabled by default, unless administrators disable it.

To receive the CVE-2022-336 hotfix, Sophos Firewall installations that were running an older version of Sophos Firewall had to be manually upgraded to an updated supported version.

Administrators that are unable to patch vulnerable software may also disable access via WAN access.

Many devices remain vulnerable

Jacob Baines, VulnCheck vulnerability researcher, found that around 6% of the 88,000 Sophos Firewall instances were running unpatched versions and that they are susceptible to CVE-2022-3235 attacks.

that “more than 99%” of Sophos Firewalls with internet access have not upgraded to the latest version containing CVE-2022-336.

“But, around 93% of users are using versions eligible for hotfixes. The default behavior of the firewall is to download hotfixes and then apply them (unless an administrator disables it).

This leaves over 4,000 firewalls, or about 6% of Sophos Firewalls that are internet-facing Sophos Firewalls, with versions that have not received a hotfix. They’re therefore still vulnerable.”

Although the exploit has been exploited already as a zero day, an CVE-2022-336 proof-of concept exploit is still to be published online.

Baines, however, was able reproduce the exploit using technical information from Trend Micro’s Zero Day Initiative. (ZDI), and it is probable that other threat actors will be able soon to do so.

If and when this occurs, it will likely result in a new wave attack. Threat actors can create an exploit that is fully functional and then add it to their toolbox.

Baines said that Sophos Firewall, which requires web clients to solve “a captcha” during authentication, would make mass exploitation more difficult.

An attacker would need to add an automated CAPTCHA solver in order to work around this limitation.

Sophos Firewall CAPTCHA challenge (Jacob Baines)

Sophos Firewall bugs were previously attacked

It is crucial to patch Sophos Firewall bugs, as this vulnerability could be exploited again in the wild.

Sophos fixed a in its User Portal and Webadmin modules. This allowed authentication bypass and code execution attacks.

This against South Asian organisations by DriftingCloud, a Chinese threat group.

by threat actors in 2020. They used it to steal usernames and passwords, using the .

This zero-day could be used to on Windows enterprise networks.