UK-based cybersecurity firm Sophos this week announced patches for an exploited vulnerability in Firewall versions that have reached End-of-Life (EOL).
The critical-severity flaw, tracked as CVE-2022-3236, was found to impact versions 19.0 MR1 (19.0.1) and older of the product. It was originally patched in September 2022, but only in supported versions of Sophos Firewall.
Sophos describes the security defect as a code injection issue in the Firewall’s User Portal and Webadmin components, allowing attackers to achieve remote code execution (RCE).
This week, the cybersecurity firm updated its advisory to warn of a new in-the-wild exploit targeting the bug, and to draw attention to fixes it has released for older, EOL product versions.
“In December 2023, we delivered an updated fix after identifying new exploit attempts against this same vulnerability in older, unsupported versions of the Sophos Firewall,” the company says.
Organizations that have updated their instances to a supported version after September 2022 are protected against these attacks and do not need to take additional action, Sophos says.
However, devices running EOL firmware are vulnerable to the new exploit, and Sophos took immediate action to fix certain versions. The patches have been “automatically applied to the 99% of affected organizations that have ‘accept hotfix’ turned on,” the company says.
Starting December 6, Sophos has been rolling out hotfixes for Firewall versions 19.0 GA, MR1, and MR1-1; 18.5 GA, MR1, MR1-1, MR2, MR3, and MR4; and 17.0 MR10.
Sophos has included the fixes in Firewall versions 18.5 MR5 (18.5.5), 19.0 MR2 (19.0.2), and 19.5 GA, and urges customers using older iterations of the product to upgrade to receive the fixes.
“Attackers commonly hunt for EOL devices and firmware from any technology vendor, so we strongly recommend that organizations upgrade their EOL devices and firmware to the latest versions,” the company notes.
Last year, Sophos warned that the flaw had been exploited in attacks targeting “a small set of specific organizations, primarily in the South Asia region”. The company has not shared details on the recently observed attacks.
Related: CISA Warns of Attacks Exploiting Sophos Web Appliance Vulnerability
Related: Sophos Patches Critical Code Execution Vulnerability in Web Security Appliance
Related: Several Code Execution Vulnerabilities Patched in Sophos Firewall