Sophos fixes remote code execution on old unsupported firewalls after hacker attacks
Take action: If you are using a Sophos firewall that's unsupported, you are back in business. Sophos has issued a patch, because hackers are targeting you. Apply the patch ASAP. Don't wait - companies don't burn resources on old software because the risk is low.
Learn More
Sophos, confronted with active exploitation of a remote code execution flaw tracked as CVE-2022-3236 (CVSS score 9.8) in their firewall's User Portal and Webadmin, was compelled to issue a security patch for outdated, end-of-life (EOL) firmware versions.
The flaw was initially addressed in September 2022 for versions up to 19.0.1 but it persisted in over 4,000 internet-exposed appliances by January 2023, especially in older devices running EOL firmware that required manual updates or mitigation application.
Responding to renewed exploit attempts in December 2023, Sophos released an updated fix for certain EOL firmware versions, which was automatically applied to the majority of affected organizations with the 'accept hotfix' setting enabled.
Sophos advises organizations to upgrade EOL devices and firmware to the latest versions or, where updating is not feasible, to restrict WAN access to the User Portal and Webadmin, using VPN or Sophos Central for remote access and management instead.
The company has also provided detailed instructions for users to enable auto-updates for hotfixes.
Alternatively, the users should manually update to one of the following versions of Sophos Firewall, which address CVE-2022-3236:
- v19.0 GA, MR1, and MR1-1
- v18.5 GA, MR1, MR1-1, MR2, MR3, and MR4
- v18.0 MR3, MR4, MR5, and MR6
- v17.5 MR12, MR13, MR14, MR15, MR16, and MR17
- v17.0 MR10
- v19.0 GA, MR1, and MR1-1
- v18.5 GA, MR1, MR1-1, MR2, MR3, and MR4
- v17.0 MR10
