In a significant cybersecurity development, Sophos has issued a critical patch for its firewall product following the discovery of a severe zero-day vulnerability actively being exploited by cyber attackers. This vulnerability has raised serious concerns for users, as it could lead to unauthorized remote code execution.
The issue, identified as CVE-2022-3236 and assigned a high CVSS score of 9.8, affects versions of Sophos Firewall including v19.0 MR1 (19.0.1) and earlier. The vulnerability specifically pertains to a code injection flaw within the User Portal and Webadmin components.
Sophos has reported that this vulnerability has been leveraged against a targeted group of organizations, primarily located in South Asia. In response, the company has reached out directly to affected entities to mitigate the threat and ensure that they are aware of the necessary steps required to secure their systems.
In light of this incident, Sophos recommends that all users restrict external access to the User Portal and Webadmin to minimize exposure. Users are also urged to upgrade to newer, supported versions of the firewall to benefit from the latest security protections. Versions recommended for update include v19.5 GA, v19.0 MR2 (19.0.2), and several earlier variants spanning from v18.5 to v17.0.
This incident marks the second instance within a year that Sophos Firewall has been subjected to an active exploitation. Earlier in March, a separate vulnerability identified as CVE-2022-1040 saw malicious actors targeting similar organizations in the same geographic area.
In June 2022, cybersecurity firm Volexity linked these attacks to an advanced persistent threat group known as DriftingCloud, emphasizing the need for heightened vigilance among users of affected Sophos products. Previous security breaches involving Sophos firewall appliances have also featured the deployment of threats, including the Asnarök trojan, aimed at extracting sensitive data.
From a cybersecurity perspective, the tactics employed in this ongoing attack align with several methodologies outlined in the MITRE ATT&CK framework. Techniques such as initial access, exploitation of public-facing applications, and remote code execution are pertinent to understanding the nature of these threats. Business owners must remain vigilant and proactive in their cybersecurity measures to protect their networks against such vulnerabilities.
