Skip to content
Avanet
More than 4,000 Sophos Firewalls Are Still Affected by the Vulnerability

More than 4,000 Sophos Firewalls Are Still Affected by the Vulnerability

Security researchers at VulnCheck have found that many network admins worldwide have still not updated their Sophos Firewalls. They identified around 88,000 firewalls reachable from the internet, thousands of which are vulnerable to a critical security flaw.

The User Portal of approximately 78,000 firewalls is accessible from the internet, and 10,000 firewalls even expose the Web-Admin login. Starting with SFOS Version 18.0 MR3, the backend actively warns administrators about this.

Sophos Firewalls Webadmin
UserPortal
Sophos Firewalls User Portal
WebAdmin

The vulnerability has been known since September 2022, and hotfixes and security patches have been available since December. The researchers advise administrators to check not only the installed version but also log files for possible compromises.

We have reported on Sophos Firewall vulnerabilities in the past (Sophos SFOS SQL Injection Vulnerability Patched) and on the measures we recommend to prevent the firewall from being so easily reachable over the internet.

The vulnerability, known as CVE-2022-3236, allows attackers to execute malicious code and is classified as extremely critical. When Sophos disclosed the vulnerability last September, the company warned that it had already been exploited as a zero-day. Sophos urged customers to install a hotfix and later a full patch to prevent compromise.

Sophos Firewalls Using Versions With A Hotfix Available
Sophos Firewalls with versions for which a hotfix is available
Sophos Firewalls Using Vulnerable Versions
Sophos Firewalls with vulnerable versions

More than 99 percent of Sophos Firewalls reachable from the internet have not been updated to versions that include the official patch for CVE-2022-3236, writes VulnCheck researcher Jacob Baines. However, around 93% of systems are running versions for which a hotfix is available, and the default firewall behavior is to automatically download and apply hotfixes, unless an administrator has disabled this. It is likely that almost all firewalls eligible for a hotfix have received one.

This means that more than 4,000 firewalls, or approximately 6% of Sophos Firewalls exposed to the internet, are still running versions that have not received a hotfix and are therefore vulnerable. According to security firm VulnCheck, which refers to figures from a Shodan search, this corresponds to around 6% of all exposed Sophos Firewalls.

So download Sophos Firewall Version 19.5 and install it, and check that the hotfix has been installed automatically.

Patrizio

Patrizio

Patrizio is an experienced network specialist focused on Sophos firewalls, switches, and access points. He supports customers and IT teams with configuration, migration, and clean network segmentation.