Table of Contents
  • Home
  • /
  • Blog
  • /
  • How to Fix CVE-2022-3236- A Critical RCE Vulnerability in Sophos Firewall
September 28, 2022

How to Fix CVE-2022-3236- A Critical RCE Vulnerability in Sophos Firewall

How To Fix Cve 2022 3236 A Critical Rce Vulnerability In Sophos Firewall

Sophos resolved a 0-day vulnerability in Sophos firewall upon security researchers discovered that attackers are exploiting the firewall in the wild. The flaw tracked under the identification number CVE-2022-3236 is a code injection vulnerability in the User Portal and Webadmin components of the Sophos firewall. Attackers abuse this code injection vulnerability to perform remote code execution on the vulnerable versions of Sophos firewall. Since the flaw lice in the outer access layer of the firewall and assigned a CVSS score of 9.8, which is considered critical, it is important to fix the CVE-2022-3236 as soon as possible. Let’s see how to fix CVE-2022-3236, a 0-day RCE vulnerability in Sophos firewall, in this post.

A short note about Sophos Firewall:

Sophos Firewall is a powerful, enterprise-grade security solution that helps protect businesses of all sizes from online threats. It offers advanced features such as application control, intrusion prevention, and web filtering to give businesses the protection they need against today’s sophisticated cyber attacks. Sophos Firewall is available in both hardware and software versions, so businesses can choose the option that best fits their needs.

Summary of CVE-2022-3236:

This is a code injection vulnerability in the User Portal and Webadmin components of the Sophos firewall that could be abused by remote attackers to execute arbitrary code on the vulnerable versions of Sophos firewalls.

The flaw is tracked under the CVE ID CVE-2022-3236 and has been assigned a CVSS score of 9.8 out of 10 on the scale. Let’s see the vulnerability vector in the below table.

Associated CVE IDCVE-2022-3236
DescriptionA RCE Vulnerability in Sophos Firewall
Associated ZDI ID
CVSS Score9.8 Critical
Impact Score
Exploitability Score
Attack Vector (AV)Network
Attack Complexity (AC)Low
Privilege Required (PR)None
User Interaction (UI)None
Confidentiality (C)High
Integrity (I)High
availability (a)High

Sophos Firewall Versions Affected by CVE-2022-3236

As per the advisory, all the firewalls less than or equal to v19.0 MR1 (19.0.1) are vulnerable to the flaw and require action against the vulnerability to protect from advisories.

Vulnerable Versions: v19.0 MR1 (19.0.1) or older.

How to Fix CVE-2022-3236- A RCE Vulnerability in Sophos Firewall?

Sophos has responded to this 0-day RCE vulnerability by releasing a patch and hotfixes for older versions of the firmware. The vendor released versions v18.5 MR5 (18.5.5), v19.0 MR2 (19.0.2), and v19.5 GA with the fix. We recommend upgrading your firmware to v18.5 MR5 (18.5.5), v19.0 MR2 (19.0.2), and v19.5 GA to fix the CVE-2022-3236 vulnerability permanently.

Sophos has released the hotfix for the older firmware that doesn’t support the upgrade.

  • v19.0 GA, MR1, and MR1-1

  • v18.5 GA, MR1, MR1-1, MR2, MR3, and MR4

  • v18.0 MR3, MR4, MR5, and MR6

  • v17.5 MR12, MR13, MR14, MR15, MR16, and MR17

  • v17.0 MR10

Note: Please refer to this retirement calendarversion compatibly of firmware version, and prechecks before you begin the upgradation process. Please don’t download from untrusted sources or any third party. We urge you to download the Sophos firewall firmware only from the Sophos Licensing Portal. If you are running the Sophos firewall in HA mode, refer to this KB to upgrade in HA mode.

No action is required for Sophos Firewall on which the “Allow automatic installation of hotfixes” feature is enabled. See how to enable auto installation of hotfixes below. Enabled is the default setting.

  1. Go to Backup & firmware > Firmware > Hotfix.

  2. Turn on Allow automatic installation of hotfixes.

  3. Click Apply.

How Do You Verify HotFix for CVE-2022-3236 is Applied on Your Sophos Firewall?

To verify whether hotfix is applied to your firewall. Run this command on the CLI console. If the hotfix is installed on your firewall, you will see HF092122.1 or a later value in Hotfix Tag, as shown in the below picture. 

system diagnostic show version-info

Source: Sophos


Since this flaw is actively being exploited, it is necessary to fix the flaw as soon as you can, especially if your firewall is placed internet-facing and made accessible from the public network. If you are not in a position to fix the CVE-2022-3236 vulnerability anytime soon. We recommend restricting WAN access to the User Portal and Webadmin of the firewall or configuring the interface behind a VPN firewall so that only concerned people will only have access to the User Portal until the patch or hotfix is applied.

Tips for implementing the firewall with better security:

  1. Restrict access to Local services on the public network: Local services are management services specific to the internal functioning of Sophos Firewall, such as web admin and CLI consoles and authentication services. You can allow or block access to local services from Administration > Device access. Or, Create a local service ACL exception rule allowing specific source IP addresses to access the console from the WAN zone.

  2. Change the default access credentials and port: It should be the first step to change the default credentials, that is, admin/admin and default port 8443. 

  3. Use key-based authentication instead of username and password authentication: Configure the public key authentication in Administration > Device access.

  4. Enable Multi-factor authentication: Configure MFA using hardware or software tokens.

We hope this post would help you know how to fix CVE-2022-3236, a critical RCE vulnerability in Sophos Firewall. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, Medium & Instagram, and subscribe to receive updates like this. 

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Application Security

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.



View All

Learn Something New with Free Email subscription