The company confirmed that Sophos Firewall contains a high-severity vulnerability that is being exploited in the wild, urging system administrators to apply a patch or workaround as soon as possible.
In an official statement, the company said that the threat actor abusing the flaw is targeting a specific type of campaign for its victims.
“Sophos has observed that this vulnerability is being exploited by a small set of specific organizations, primarily in the South Asia region,” Sophos said. “We have informed each of these organizations directly. Sophos will provide more details as we continue to investigate.”
Remote code execution
The vulnerability was discovered in the User Portal and WebAdmin. Tracked as CVE-2022-3236, the flaw allows remote code execution by threat actors. The company has already released a fix that should automatically apply to most users. By default, the auto-update feature is enabled, so unless system administrators intentionally disabled it, you should be fine.
Those who should pay particular attention are those who have the feature disabled or those using older versions of Sophos Firewall. To do this, you need to update the software first.
System administrators who cannot apply the patch at this time can also use a workaround by ensuring that the user portal and web admin are not exposed to the WAN.
“Disable global network access to the user portal and web admin, following device access best practices, and instead use VPN and/or Sophos Central (preferred) for remote access and management,” Sophos said.
This is at least the third time this year that a Sophos firewall has hit the headlines for all the wrong reasons. In April of this year, the company announced a fix for a flaw that allowed threat actors to remotely execute any code, including viruses and malware, on end point (opens in a new tab) launched firewall software, and in late June fixed CVE-2022-1040 (authentication bypass bug that could allow arbitrary code execution).
Via: BleepingComputer (opens in a new tab)