Sophos Firewall carries a high-severity vulnerability that’s being actively exploited in the wild, the company has confirmed, urging system admins to apply the patch, or the workaround, as quickly as possible.
In an official announcement, the company said that the threat actor abusing the flaw focuses on a specific type of companies for its victims.
“Sophos has observed this vulnerability being used to target a small set of specific organizations, primarily in the South Asia region,” Sophos said. “We have informed each of these organizations directly. Sophos will provide further details as we continue to investigate.”
Remote code execution
The vulnerability was discovered in the User Portal and Webadmin. Tracked as CVE-2022-3236, the flaw allows threat actors to remotely execute code. The company has already released a fix, that should be applied automatically to most users. By default, the feature of automatic updates is enabled, so unless system admins deliberately turned it off, they should be fine.
Those that should pay extra care are those that have the feature turned off, or those who are using older versions of Sophos Firewall. These would need to upgrade the software, first.
System admins that are unable to apply the patch at this time can also use the workaround – making sure the User Portal and Webadmin aren’t exposed to WAN.
“Disable WAN access to the User Portal and Webadmin by following device access best practices and instead use VPN and/or Sophos Central (preferred) for remote access and management,” Sophos said.
This is at least the third time this year Sophos Firewall made headlines for all the wrong reasons. In April this year, the company announced patching a flaw that allowed threat actors to remotely execute any code, including viruses and malware, on an endpoint (opens in new tab) running its firewall software, and in late June, it fixed CVE-2022-1040 (authentication bypass flaw that allows arbitrary code execution).
Via: BleepingComputer (opens in new tab)