Security News > 2023 > January > Thousands of Sophos firewalls still vulnerable out there to hijacking
More than 4,000 public-facing Sophos firewalls remain vulnerable to a critical remote code execution bug disclosed last year and patched months later, according to security researchers.
The flaw, CVE-2022-3236, had already been exploited as a zero-day when Sophos published a security advisory about the vulnerability in September 2022.
Sophos initially issued a hotfix for some versions of the firewall, and then released an formal update that squashed the bug in December 2022.
Despite that software update "More than 99 percent of internet-facing Sophos Firewalls haven't upgraded to versions containing the official fix for CVE-2022-3236," according to VulnCheck researchers, who wrote their own proof-of-concept exploit and scanned internet-facing Sophos firewalls to determine how likely mass exploitation actually is.
This is very good news for the 4,000-plus boxes running vulnerable Sophos code.
"Most internet-facing Sophos Firewalls appear to have the login captcha enabled, which means, even at the most opportune times, this vulnerability was unlikely to have been successfully exploited at scale." .
News URL
https://go.theregister.com/feed/www.theregister.com/2023/01/18/4000_buggy_sophos_firewalls/
Related news
- Custom "Pygmy Goat" malware used in Sophos Firewall hack on govt network (source)
- US names Chinese national it alleges was behind 2020 attack on Sophos firewalls (source)
- U.S. Charges Chinese Hacker for Exploiting Zero-Day in 81,000 Sophos Firewalls (source)
- Sophos Issues Hotfixes for Critical Firewall Flaws: Update to Prevent Exploitation (source)
- Sophos Firewall vulnerable to critical remote code execution flaw (source)
- Sophos discloses critical Firewall remote code execution flaw (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-09-23 | CVE-2022-3236 | Code Injection vulnerability in Sophos Firewall 19.0.1 A code injection vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v19.0 MR1 and older. | 9.8 |