June 7, 2023

Sophos has patched an actively exploited RCE vulnerability tracked as CVE-2022-3236 in its Firewall products. Also it communicated to the organization directly about the vulnerability.

CVE-2022-3236 is a code injection vulnerability in the User Portal and Webadmin of Sophos Firewall. If successfully exploited, it allows for RCE on the targeted vulnerable installation.


Sophos Firewall v19.0 MR1 (19.0.1) and older are affected. Sophos published hotfixes for a variety of them, and has included the fix in v18.5 MR5 (18.5.5), v19.0 MR2 (19.0.2), and v19.5 GA.

The hotfixes have been pushed to customers with the “Allow automatic installation of hotfixes” feature enabled on remediated versions.

Customers who don’t have the featured enabled are advised to get the hotfix or to upgrade to a newer version. If fix is not possible, they can protect themselves from external attackers by disabling WAN access to the User Portal and Webadmin.


An alternative for remote access and management, they can use VPN and/or the Sophos Central cloud management platform.

This vulnerability has been added to CISA’s Known Exploited Vulnerabilities Catalog.

Leave a Reply

%d bloggers like this: