Background
CVE-2022-3236 is a code injection vulnerability in Sophos Firewall, disclosed and patched in September 2022. By the time Sophos went public, it had already been exploited in targeted attacks against organisations in the South Asia region — specifically, Sophos noted it was being used against “a small set of specific organisations primarily in the South Asia region.”
This fits into the broader pattern documented in Sophos’s “Pacific Rim” investigation, which detailed years of sophisticated attacks by Chinese state-sponsored threat actors against Sophos appliances. CVE-2022-3236 is one chapter in that longer story.
Technical Mechanism
The Sophos Firewall exposes a User Portal (for end users to configure their VPN profiles, access self-service tools, etc.) and a Webadmin interface (for administrators). Both interfaces are web-based and are often internet-accessible — the User Portal intentionally so, since remote users need to access it.
The vulnerability is a code injection in the authentication handling code within these interfaces. Specifically, certain parameters passed during the authentication flow (potentially in the username field or similar authentication-related parameters) are passed to a backend code execution path without sufficient sanitisation.
The injection allows:
- An unauthenticated attacker to craft a request to the User Portal or Webadmin login page
- The crafted parameter is processed by the authentication backend, which passes it to an interpreter or system command
- The injected code executes server-side, achieving RCE without any valid credentials
- Code execution is typically as root or the firewall’s application user (high privilege)
The nature of code injection (as opposed to command injection) suggests the backend uses an interpreted language component that evaluates the attacker’s input.
Real-World Exploitation Evidence
Sophos confirmed targeted exploitation before the patch was available:
- South Asia targeting — Sophos explicitly identified the initial exploitation as targeting organisations primarily in South Asia, consistent with the geopolitical interests of Chinese APT groups targeting India, Bangladesh, Sri Lanka, and neighbouring countries
- Chinese APT connection — the “Pacific Rim” investigation Sophos published in 2023 documented a five-year campaign by Chinese threat actors (including groups linked to Volt Typhoon and related clusters) targeting Sophos devices; CVE-2022-3236 fits this pattern
- Persistence techniques — in targeted attacks, threat actors installed persistent backdoors on the compromised firewalls before Sophos could patch
- Post-exploitation — compromised firewalls were used to pivot into targeted organisations’ internal networks
Impact Assessment
- Root code execution on the Sophos Firewall appliance
- Full firewall control — modify firewall policies, create VPN accounts, access logs
- Traffic interception — with root access on the firewall, all traffic passing through it can be captured
- Internal network access — the firewall sits at the network perimeter; it’s connected to internal network segments
- Credential theft — VPN credentials, admin passwords, and pre-shared keys stored on the device
- Long-term espionage — targeted attacks focused on persistent access for intelligence gathering rather than immediate ransomware
Affected Versions
| Product | Affected Versions | Fixed Version |
|---|---|---|
| Sophos Firewall | v19.0 GA and earlier | v19.0 MR1 |
| Sophos Firewall | v19.5 GA | v19.5 MR1 |
Note: Sophos released automatic hotfixes to eligible devices — if your firewall received automatic updates, check whether the hotfix was applied.
Remediation Steps
- Update to Sophos Firewall v19.0 MR1 or v19.5 MR1 or later
- Verify hotfix application — Sophos pushed automatic hotfixes to devices with “Allow automatic installation of hotfixes” enabled:
- Check: Administration > Firmware > Installed Hotfixes
- If you cannot confirm hotfix receipt:
- Disable WAN access to the User Portal and Webadmin immediately
- Navigate to: Administration > Device Access > Local service ACL
- Remove WAN zone access from User Portal and Admin services
- Review admin audit logs for unexpected changes made before patching
- Check for new VPN accounts or admin accounts added to the firewall
- Review firewall policies for unexpected rule changes
- If compromise is suspected, Sophos has a forensic investigation guide — contact Sophos support
Detection Guidance
Sophos Firewall logs — look for:
- Failed and successful authentication attempts to User Portal from external IPs with unusual patterns
- Admin console access from unexpected IPs
- Unexpected configuration changes in the admin audit log
Access log patterns — unusual POST requests to authentication endpoints with atypical parameter structures.
Network monitoring — watch for unexpected outbound connections from the firewall management IP to external hosts.
Suricata signature:
alert http any any -> $SOPHOS_FW_IPS any (msg:"Sophos Firewall CVE-2022-3236 Code Injection Attempt"; flow:established,to_server; http.uri; content:"/userportal/"; http.method; content:"POST"; classtype:web-application-attack; sid:2034028; rev:1;)Timeline
| Date | Event |
|---|---|
| 2022 (before September) | Chinese APT begins exploiting CVE-2022-3236 as zero-day against South Asian targets |
| 23 September 2022 | Sophos releases patch; discloses active exploitation |
| September 2022 | CISA adds to Known Exploited Vulnerabilities catalogue |
| 2023 | Sophos publishes “Pacific Rim” investigation documenting broader Chinese APT campaign |
| 2023–2024 | Ongoing investigation and disclosure of related Sophos appliance attacks |