CVE-2022-3236
published 2022-09-23CVE-2022-3236: A code injection vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v19.0 MR1 and older.
PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-10-14
Exploited in the wild
EPSS
98.91%
99.9th percentile
A code injection vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v19.0 MR1 and older.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sophos | firewall | <= 19.0.1 | — |
| sophos | sophos_firewall | unspecified – 18.5 MR4 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2022-3236 affects the User Portal and Webadmin components of Sophos Firewall; monitor for exploit attempts targeting these interfaces from WAN-facing IPs ↗
- →Use Qualys QID 730616 to identify Sophos Firewall installations vulnerable to CVE-2022-3236 ↗
- →Over 4,000 internet-exposed Sophos Firewall appliances remained unpatched as of January 2023; scan for exposed User Portal and Webadmin interfaces on internet-facing Sophos devices ↗
- →New exploit attempts against CVE-2022-3236 were identified in December 2023 targeting older, unsupported (EOL) Sophos Firewall firmware versions; prioritize detection on EOL devices ↗
- ·The hotfix for CVE-2022-3236 is automatically applied only to appliances with 'accept hotfix' enabled; devices with this option disabled remain vulnerable unless manually updated ↗
- ·Workaround for CVE-2022-3236 when patching is impossible: restrict WAN access to User Portal and Webadmin and use VPN or Sophos Central instead ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jv5x-4hfr-x3p5: A code injection vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v19
ghsa_unreviewed·2022-09-25
CVE-2022-3236 [CRITICAL] CWE-74 GHSA-jv5x-4hfr-x3p5: A code injection vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v19
A code injection vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v19.0 MR1 and older.
VulnCheck
Sophos Firewall Code Injection Vulnerability
vulncheck·2022·CVSS 9.8
CVE-2022-3236 [CRITICAL] CWE-94 Sophos Firewall Code Injection Vulnerability
Sophos Firewall Code Injection Vulnerability
A code injection vulnerability in the User Portal and Webadmin of Sophos Firewall allows for remote code execution.
Affected: Sophos Firewall
Required Action: Apply updates per vendor instructions.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.sophos.com/en-us/security-advisories/sophos-sa-20220923-sfos-rce; https://www.mandiant.com/resources/blog/zero-days-exploited-2022; https://go.recordedfuture.com/hubfs/reports/cta-2023-1107.pdf; https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a; https://news.sophos.com/en-us/2024/10/31/pacific-rim-neutralizing-china-based
CISA
Sophos Firewall Code Injection Vulnerability
cisa·2022-09-23·CVSS 9.8
CVE-2022-3236 [CRITICAL] CWE-94 Sophos Firewall Code Injection Vulnerability
Vulnerability: Sophos Firewall Code Injection Vulnerability
Affected: Sophos Firewall
A code injection vulnerability in the User Portal and Webadmin of Sophos Firewall allows for remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://www.sophos.com/en-us/security-advisories/sophos-sa-20220923-sfos-rce; https://nvd.nist.gov/vuln/detail/CVE-2022-3236
Remediation Due Date: 2022-10-14
No detection rules found.
Nuclei
Sophos Firewall <= 19.0 MR1 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2022-3236 [CRITICAL] Sophos Firewall <= 19.0 MR1 - Remote Code Execution
Sophos Firewall <= 19.0 MR1 - Remote Code Execution
Sophos Firewall version v19.0 MR1 and older is vulnerable to code injection in the User Portal and Webadmin, allowing a remote unauthenticated attacker to execute arbitrary code.
Template:
id: CVE-2022-3236
info:
name: Sophos Firewall <= 19.0 MR1 - Remote Code Execution
author: daffainfo
severity: critical
description: |
Sophos Firewall version v19.0 MR1 and older is vulnerable to code injection in the User Portal and Webadmin, allowing a remote unauthenticated attacker to execute arbitrary code.
impact: |
Remote attackers can execute arbitrary code on the system, potentially leading to full system compromise.
remediation: |
Update to the latest version of Sophos Firewall.
reference:
- https://www.thezdi.com/blog/2022/10/19/cve-2022-3
Tenable
Salt Typhoon: An Analysis of Vulnerabilities Exploited by this State-Sponsored Actor
blogs_tenable·2025-01-23
Salt Typhoon: An Analysis of Vulnerabilities Exploited by this State-Sponsored Actor
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Trendmicro
Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions
blogs_trendmicro·2024-11-25
Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions
APT & Targeted Attacks
## Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions
Since 2023, APT group Earth Estries has aggressively targeted key industries globally with sophisticated techniques and new backdoors, like GHOSTSPIDER and MASOL RAT, for prolonged espionage operations.
By: Leon M Chang, Theo Chen, Lenart Bermejo, Ted Lee Nov 25, 2024 Read time: ( words)
Save to Folio
## Summary
Earth Estries, a Chinese APT group, has primarily targeted critical sectors like telecommunications and government entities across the US, Asia-Pacific, Middle East, and South Africa since 2023.
The group employs advanced attack techniques and multiple backdoors, such as GHOSTSPIDER, SNAPPYBEE, and MASOL RAT, affecting several Southeast Asian telecommunications companies and governm
Trendmicro
Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions
blogs_trendmicro·2024-11-25
Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions
APT y ataques dirigidos
## Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions
Since 2023, APT group Earth Estries has aggressively targeted key industries globally with sophisticated techniques and new backdoors, like GHOSTSPIDER and MASOL RAT, for prolonged espionage operations.
By: Leon M Chang, Theo Chen, Lenart Bermejo, Ted Lee Nov 25, 2024 Read time: ( words)
Save to Folio
## Summary
Earth Estries, a Chinese APT group, has primarily targeted critical sectors like telecommunications and government entities across the US, Asia-Pacific, Middle East, and South Africa since 2023.
The group employs advanced attack techniques and multiple backdoors, such as GHOSTSPIDER, SNAPPYBEE, and MASOL RAT, affecting several Southeast Asian telecommunications companies and govern
Bleepingcomputer
Salt Typhoon hackers backdoor telcos with new GhostSpider malware
blogs_bleepingcomputer·2024-11-25
Salt Typhoon hackers backdoor telcos with new GhostSpider malware
## Salt Typhoon hackers backdoor telcos with new GhostSpider malware
## Bill Toulas
The Chinese state-sponsored hacking group Salt Typhoon has been observed utilizing a new "GhostSpider" backdoor in attacks against telecommunication service providers.
The backdoor was discovered by Trend Micro, which has been monitoring Salt Typhoon's attacks against critical infrastructure and government organizations worldwide.
Along with GhostSpider, Trend Micro discovered that the threat group also uses a previously documented Linux backdoor named 'Masol RAT,' a rootkit named 'Demodex,' and a modular backdoor shared among Chinese APT groups named 'SnappyBee.'
## Salt Typhoon's global campaigns
Salt Typhoon (aka 'Earth Estries', 'GhostEmperor', or 'UNC2286') is a sophisticated hacking group that h
Trendmicro
Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions
blogs_trendmicro·2024-11-25
Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions
APT & Targeted Attacks
## Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions
Since 2023, APT group Earth Estries has aggressively targeted key industries globally with sophisticated techniques and new backdoors, like GHOSTSPIDER and MASOL RAT, for prolonged espionage operations.
By: Leon M Chang, Theo Chen, Lenart Bermejo, Ted Lee 2024/11/25 Read time: ( words)
Save to Folio
## Summary
Earth Estries, a Chinese APT group, has primarily targeted critical sectors like telecommunications and government entities across the US, Asia-Pacific, Middle East, and South Africa since 2023.
The group employs advanced attack techniques and multiple backdoors, such as GHOSTSPIDER, SNAPPYBEE, and MASOL RAT, affecting several Southeast Asian telecommunications companies and governmen
Trendmicro
Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions
blogs_trendmicro·2024-11-25
Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions
APT & Targeted Attacks
# Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions
Since 2023, APT group Earth Estries has aggressively targeted key industries globally with sophisticated techniques and new backdoors, like GHOSTSPIDER and MASOL RAT, for prolonged espionage operations.
By: Leon M Chang, Theo Chen, Lenart Bermejo, Ted Lee
2024/11/25
Read time: ( words)
Save to Folio
#### Summary
- Earth Estries, a Chinese APT group, has primarily targeted critical sectors like telecommunications and government entities across the US, Asia-Pacific, Middle East, and South Africa since 2023.
- The group employs advanced attack techniques and multiple backdoors, such as GHOSTSPIDER, SNAPPYBEE, and MASOL RAT, affecting several Southeast Asian telecommunications companies and gove
Tenable
Cybersecurity Snapshot: Russia-backed Hackers Aim at Critical Infrastructure Orgs, as Crypto Fraud Balloons
blogs_tenable·2024-09-13
Cybersecurity Snapshot: Russia-backed Hackers Aim at Critical Infrastructure Orgs, as Crypto Fraud Balloons
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Sophos backports RCE fix after attacks on unsupported firewalls
blogs_bleepingcomputer·2023-12-12·CVSS 9.8
CVE-2022-3236 [CRITICAL] Sophos backports RCE fix after attacks on unsupported firewalls
## Sophos backports RCE fix after attacks on unsupported firewalls
## Bill Toulas
Sophos opted to backport a security update for CVE-2022-3236 for end-of-life (EOL) firewall firmware versions after discovering hackers actively exploiting the flaw in attacks.
The flaw is a code injection problem in the User Portal and Webadmin of Sophos Firewall, allowing remote code execution.
Sophos fixed the security issue in September 2022 when it warned about active exploitation in the wild , impacting versions 19.0.1 and older.
Although the hotfix was automatically rolled out to appliances set to auto-accept security updates by the vendor, by January 2023, over 4,000 internet-exposed appliances remained vulnerable to attacks.
Many of these appliances were older devices running end-of-life firmwa
Trendmicro
SQL Injection in ManageEngine Privileged Access Management
blogs_trendmicro·2022-11-23·CVSS 9.8
CVE-2022-40300 [CRITICAL] SQL Injection in ManageEngine Privileged Access Management
# CVE-2022-40300: SQL Injection in ManageEngine Privileged Access Management
Retrieving data. Wait a few seconds and try to cut or copy again.
By: Trend Micro Research
2022/11/23
Read time: ( words)
Save to Folio
In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Justin Hung and Dusan Stevanovic of the Trend Micro Research Team detail a recently patched SQL injection vulnerability in Zoho ManageEngine products. The bug is due to improper validation of resource types in the AutoLogonHelperUtil class. Successful exploitation of this vulnerability could lead to arbitrary SQL code execution in the security context of the database service, which runs with SYSTEM privileges. The following is a portion of their write-up covering CVE-2022-3236, with a few mi
Trendmicro
SQL Injection in ManageEngine Privileged Access Management
blogs_trendmicro·2022-11-23·CVSS 9.8
CVE-2022-40300 [CRITICAL] SQL Injection in ManageEngine Privileged Access Management
## CVE-2022-40300: SQL Injection in ManageEngine Privileged Access Management
Retrieving data. Wait a few seconds and try to cut or copy again.
By: Trend Micro Research 2022/11/23 Read time: ( words)
Save to Folio
In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Justin Hung and Dusan Stevanovic of the Trend Micro Research Team detail a recently patched SQL injection vulnerability in Zoho ManageEngine products. The bug is due to improper validation of resource types in the AutoLogonHelperUtil class. Successful exploitation of this vulnerability could lead to arbitrary SQL code execution in the security context of the database service, which runs with SYSTEM privileges. The following is a portion of their write-up covering CVE-2022-3236, with a few mi
Trendmicro
SQL Injection in ManageEngine Privileged Access Management
blogs_trendmicro·2022-11-23·CVSS 9.8
CVE-2022-40300 [CRITICAL] SQL Injection in ManageEngine Privileged Access Management
## CVE-2022-40300: SQL Injection in ManageEngine Privileged Access Management
Retrieving data. Wait a few seconds and try to cut or copy again.
By: Trend Micro Research Nov 23, 2022 Read time: ( words)
Save to Folio
In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Justin Hung and Dusan Stevanovic of the Trend Micro Research Team detail a recently patched SQL injection vulnerability in Zoho ManageEngine products. The bug is due to improper validation of resource types in the AutoLogonHelperUtil class. Successful exploitation of this vulnerability could lead to arbitrary SQL code execution in the security context of the database service, which runs with SYSTEM privileges. The following is a portion of their write-up covering CVE-2022-3236, with a few
Qualys
October 2022 Patch Tuesday | Microsoft Releases 84 Vulnerabilities With 13 Critical, Plus 12 Microsoft Edge (Chromium-Based); Adobe Releases 4 Advisories, 29 Vulnerabilities With 17 Critical. | Qualys
blogs_qualys·2022-10-11·CVSS 7.8
[HIGH] October 2022 Patch Tuesday | Microsoft Releases 84 Vulnerabilities With 13 Critical, Plus 12 Microsoft Edge (Chromium-Based); Adobe Releases 4 Advisories, 29 Vulnerabilities With 17 Critical. | Qualys
#### Table of Contents
- Microsoft Patch Tuesday Summary
- Microsoft Exchange ProxyNotShell Zero-Days Not Yet Addressed (QID 50122)
- The October 2022 Microsoft Vulnerabilities Are Classified As Follows:
- Two Zero-Day Vulnerabilities Addressed
- Microsoft Critical Vulnerability Highlights
- Microsoft Release Summary
- Microsoft Edge | Last But Not Least
- Adobe Security Bulletins and Advisories
- About Qualys Patch Tuesday
- Qualys Threat Research Blog Posts
- Qualys Threat Protection High-Rated Advisories
- Discover and Prioritize Vulnerabilities in Vulnerability Management Detection Response(VMDR)
- Rapid Response With Patch Management (PM)
- EXECUTE Mitigation Using Custom Assessment and Remediation (CAR)
- EVALUATE Vendor-Suggested Mitigation With Policy Compliance (PC)
- This Month
Qualys
October 2022 Patch Tuesday | Microsoft Releases 84 Vulnerabilities With 13 Critical, Plus 12 Microsoft Edge (Chromium-Based); Adobe Releases 4 Advisories, 29 Vulnerabilities With 17 Critical.
blogs_qualys·2022-10-11·CVSS 7.8
[HIGH] October 2022 Patch Tuesday | Microsoft Releases 84 Vulnerabilities With 13 Critical, Plus 12 Microsoft Edge (Chromium-Based); Adobe Releases 4 Advisories, 29 Vulnerabilities With 17 Critical.
## Table of Contents
Microsoft Patch Tuesday Summary
Microsoft Exchange ProxyNotShell Zero-Days Not Yet Addressed (QID 50122)
The October 2022 Microsoft Vulnerabilities Are Classified As Follows:
Two Zero-Day Vulnerabilities Addressed
Microsoft Critical Vulnerability Highlights
Microsoft Release Summary
Microsoft Edge | Last But Not Least
Adobe Security Bulletins and Advisories
About Qualys Patch Tuesday
Qualys Threat Research Blog Posts
Qualys Threat Protection High-Rated Advisories
Discover and Prioritize Vulnerabilities in Vulnerability Management Detection Response(VMDR)
Rapid Response With Patch Management (PM)
EXECUTE Mitigation Using Custom Assessment and Remediation (CAR)
EVALUATE Vendor-Suggested Mitigation With Policy Compliance (PC)
This Month in Vulnerabilities
Qualys
Qualys Research Team: Threat Thursdays, September 2022
blogs_qualys·2022-09-29
Qualys Research Team: Threat Thursdays, September 2022
## Table of Contents
Threat Intelligence from the Qualys Blog
New Threat Hunting Tools & Techniques
New Vulnerabilities
Noteworthy Mentions
Threat Thursdays Webinar
Welcome to the second edition of the Qualys Research Team’s “Threat Research Thursday”, where we collect and curate notable new tools, techniques, procedures, threat intelligence, cybersecurity news, malware attacks, and more. Feedback on our first edition, Introducing Qualys Threat Research Thursdays, is more than welcome. We would love to hear from you!
## Threat Intelligence from the Qualys Blog
Here is a roundup of the most interesting blogs from the Qualys Research Team over the past couple of weeks:
September 2022 Patch Tuesday – Debra Fezza Reed, our in-house unofficial “chief of intelligent vulnerability analyt
Qualys
Qualys Research Team: Threat Thursdays, September 2022 | Qualys
blogs_qualys·2022-09-29
Qualys Research Team: Threat Thursdays, September 2022 | Qualys
#### Table of Contents
- Threat Intelligence from the Qualys Blog
- New Threat Hunting Tools & Techniques
- New Vulnerabilities
- Noteworthy Mentions
- Threat Thursdays Webinar
Welcome to the second edition of the Qualys Research Team’s “Threat Research Thursday”, where we collect and curate notable new tools, techniques, procedures, threat intelligence, cybersecurity news, malware attacks, and more. Feedback on our first edition, Introducing Qualys Threat Research Thursdays, is more than welcome. We would love to hear from you!
## Threat Intelligence from the Qualys Blog
Here is a roundup of the most interesting blogs from the Qualys Research Team over the past couple of weeks:
- September 2022 Patch Tuesday – Debra Fezza Reed, our in-house unofficial “chief of intelligent vulnerabil
2022-09-23
Published
2022-09-23
Added to CISA KEV
Exploited in the wild