CVE-2022-3236
Published: 23 September 2022
Summary
CVE-2022-3236 is a critical-severity Code Injection (CWE-94) vulnerability in Sophos Firewall. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A code injection vulnerability tracked as CVE-2022-3236 affects the User Portal and Webadmin components of Sophos Firewall in version 19.0 MR1 and earlier. The flaw, assigned CWE-94 and carrying a CVSS v3.1 score of 9.8, permits unauthenticated remote code execution over the network.
An attacker with no credentials or user interaction can send specially crafted requests to the exposed User Portal or Webadmin interfaces, resulting in arbitrary code execution with full system impact on confidentiality, integrity, and availability.
Sophos published advisory sophos-sa-20220923-sfos-rce detailing the issue and available updates, while CISA added the CVE to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild.
The associated EPSS score remains elevated at a current value of 0.9284 with a peak of 0.9311, indicating sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-42644
Vulnerability details
A code injection vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v19.0 MR1 and older.
- CWE(s)
- KEV Date Added
- 23 September 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly counters the CWE-94 code injection by requiring validation of all inputs to the User Portal and Webadmin interfaces before execution.
Mandates prompt application of vendor patches that eliminate the unauthenticated RCE flaw in v19.0 MR1 and earlier.
Enforces boundary controls that can block external network access to the vulnerable web interfaces, limiting the attack surface.