Cyber Resilience

CVE-2022-3236

CriticalCISA KEVActive ExploitationEUVD ExploitedRCE

Published: 23 September 2022

Published
23 September 2022
Modified
27 October 2025
KEV Added
23 September 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9284 99.8th percentile
Risk Priority 95 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-3236 is a critical-severity Code Injection (CWE-94) vulnerability in Sophos Firewall. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A code injection vulnerability tracked as CVE-2022-3236 affects the User Portal and Webadmin components of Sophos Firewall in version 19.0 MR1 and earlier. The flaw, assigned CWE-94 and carrying a CVSS v3.1 score of 9.8, permits unauthenticated remote code execution over the network.

An attacker with no credentials or user interaction can send specially crafted requests to the exposed User Portal or Webadmin interfaces, resulting in arbitrary code execution with full system impact on confidentiality, integrity, and availability.

Sophos published advisory sophos-sa-20220923-sfos-rce detailing the issue and available updates, while CISA added the CVE to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild.

The associated EPSS score remains elevated at a current value of 0.9284 with a peak of 0.9311, indicating sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

A code injection vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v19.0 MR1 and older.

CWE(s)
KEV Date Added
23 September 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sophos
firewall
≤ 19.0.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly counters the CWE-94 code injection by requiring validation of all inputs to the User Portal and Webadmin interfaces before execution.

prevent

Mandates prompt application of vendor patches that eliminate the unauthenticated RCE flaw in v19.0 MR1 and earlier.

prevent

Enforces boundary controls that can block external network access to the vulnerable web interfaces, limiting the attack surface.

References