CVE-2022-3236

What is Sophos Firewall?

Sophos Firewall (formerly Sophos XG Firewall) is a next-generation firewall appliance providing network protection for enterprise and SMB environments. It combines traditional firewall functions with intrusion prevention, web filtering, VPN, application control, and email security. The device exposes a User Portal (accessible to end users for VPN access and self-service) and a Webadmin interface (for administrators) on the network perimeter — both are often internet-accessible by design. As a network perimeter security device, a compromise of the Sophos Firewall provides the attacker with an inside-the-perimeter vantage point and the ability to intercept or redirect network traffic.

Overview

CVE-2022-3236 is a critical code injection vulnerability (CWE-94, CVSS 9.8) in the User Portal and Webadmin components of Sophos Firewall. An unauthenticated remote attacker can inject and execute code via a specially crafted request to either interface, achieving remote code execution on the underlying OS. This was the second major Sophos Firewall zero-day of 2022 — the first being CVE-2022-1040 (March 2022, also a pre-auth RCE). Sophos confirmed this vulnerability was being exploited in targeted attacks against organizations in South Asia, specifically directed at a small set of organizations. Sophos automatically deployed a hotfix to most affected devices simultaneously with publishing the advisory.

Affected Versions

Sophos automatically deployed a hotfix to most internet-connected firewalls. To verify your device received the hotfix, check the SFOS version in Sophos Central or the device's admin panel.

Technical Details

The vulnerability (CWE-94: Code Injection) exists in the web application code running the User Portal and Webadmin interfaces on Sophos Firewall (SophosFW OS / SFOS). The interfaces process HTTP requests that include user-supplied parameters used in dynamically executed server-side code without adequate input sanitization.

An unauthenticated attacker can craft an HTTP request to the User Portal (typically accessible on port 443 or 4444 from the WAN side) or Webadmin (typically accessible on port 4444 from the LAN side) containing injected code that is evaluated server-side. This allows the attacker to execute arbitrary commands on the Linux-based firewall operating system.

The User Portal's internet accessibility means that CVE-2022-3236 is exploitable without requiring LAN access — an unauthenticated attacker from the internet can directly target exposed firewalls. Sophos observed targeted exploitation against a small number of specific organizations in South Asia, suggesting the exploit was being used by a targeted threat actor rather than in mass automated scanning.

Discovery

The vulnerability was discovered by Sophos in the course of investigating a targeted attack. Similar to CVE-2022-1040 earlier in 2022, Sophos identified the vulnerability through threat intelligence and incident response rather than external researcher report. The simultaneous release of an advisory, automatic hotfix deployment, and CISA KEV addition reflects Sophos's evolved response process following the high-profile zero-day exploitation events earlier in 2022.

Exploitation Context

Sophos Firewall has been a repeated target for sophisticated threat actors in 2022:

• CVE-2022-1040 (March 2022): Pre-auth RCE in User Portal; exploited by Chinese APT group to deploy custom malware ("Asnarök" and "Gh0stRAT" variants) against South and Southeast Asian organizations
• CVE-2022-3236 (September 2022): Second zero-day of the same year; also targeted at South Asian organizations

The targeting pattern (South Asia focus, custom malware, pre-auth RCE in perimeter security devices) is consistent with Chinese state-sponsored APT tradecraft. Sophos published a report documenting this threat actor campaign and the malware families observed in post-exploitation activity.

The specific value of compromising Sophos Firewall for nation-state actors includes:

• Intercepting unencrypted network traffic passing through the firewall
• Pivoting to the protected internal network
• Harvesting VPN credentials from the User Portal
• Establishing persistent access inside the perimeter for long-term espionage

Remediation

1. Verify hotfix deployment: Sophos automatically deployed hotfix SFOS 19.0 MR1-1 to internet-connected firewalls. Verify in Sophos Central or the device admin panel that the hotfix is applied. If your device is not internet-connected, apply the update manually.
2. Restrict User Portal internet access: If VPN User Portal internet exposure is not required, disable WAN access to the User Portal. Use Sophos Central or a VPN preauthentication method instead.
3. Disable Webadmin WAN access: Admin interface (Webadmin) should never be internet-accessible. Verify it is restricted to the LAN or management network.
4. Review for compromise indicators: If your firewall was internet-exposed before the hotfix, check for unexpected processes, configuration changes, new firewall rules, or VPN access events consistent with unauthorized activity.
5. Audit VPN logs: Sophos User Portal stores VPN credentials — review VPN session logs for connections from unexpected IP addresses or geolocations.
6. Apply firmware update: Beyond the hotfix, upgrade to Sophos Firewall v19.5 or the current release for comprehensive security improvements.