Sophos XG Firewall: RCE vulnerability (CVE-2022-3236)

Sicherheit (Pexels, allgemeine Nutzung)[German]Vendor Sophos warns about a remote code execution vulnerability in its firewall. There is a code injection vulnerability in the Sophos XG Firewall user portal and web admin (UTM products not affected). This vulnerability is already being exploited in a limited number of cases in Asia. An update is available to close the vulnerability.


The warning Resolved RCE in Sophos Firewall (CVE-2022-3236) is dated September 23, 2022, and affects Sophos XG Firewall v19.0 MR1 (19.0.1) and older versions. The vendor writes about the vulnerability:

A code injection vulnerability was discovered in the Sophos Firewall user portal and web admin, allowing remote code execution. The vulnerability has been fixed.

Sophos has observed this vulnerability being used to attack a small number of companies, mainly in the South Asia region. The affected companies have been notified directly by Sophos. Sophos plans to provide further details later.

Customers can protect themselves from external attackers by ensuring their user portal and web admin are not exposed to the WAN. There are device access best practices on this.

Hotfixes released

Sophos released the following hotfixes to close the vulnerability on September 21, 2022.

  • v19.0 GA, MR1, and MR1-1
  • v18.5 GA, MR1, MR1-1, MR2, MR3, and MR4

As of September 23, 2022, the following hotfixes were released to close the vulnerability.

  • v18.0 MR3, MR4, MR5, and MR6
  • v17.5 MR12, MR13, MR14, MR15, MR16, and MR17
  • v17.0 MR10

Sophos Firewall customers who have the "Allow automatic installation of hotfixes" feature enabled for fixed versions do not need to take any action. The update will then be installed automatically.


The hotfix is already included in v18.5 MR5 (18.5.5), v19.0 MR2 (19.0.2) and v19.5 GA. Users of older versions of Sophos Firewall will need to upgrade to get the latest protection features and this fix. This support article contains instructions for verifying that the fix for (CVE-2022-3236) is installed.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *