Tuesday, November 5, 2024
HomeCVE/vulnerabilitySophos Firewall Code Injection Flaw: Let Attackers Execute Remote Code

Sophos Firewall Code Injection Flaw: Let Attackers Execute Remote Code

Published on

Malware protection

A critical security flaw has been discovered in the Sophos Firewall User Portal and Webadmin, allowing hackers to execute malicious code remotely.

The vulnerability enables attackers to inject harmful code into the software, which if exploited, can result in a complete takeover of the system and data theft.

The Sophos updated their firewalls to a new version in order to detect new exploit attempts against the older version. This RCE vulnerability has a score of Critical (9.8).

- Advertisement - SIEM as a Service

Sophos said that “vulnerable devices are running end-of-life (EOL) firmware. We immediately developed a patch for certain EOL firmware versions, which was automatically applied to the 99% of affected organizations that have “accept hotfix” turned on”.

Sophos Firewall v19.0 MR1 (19.0.1) and older, which was released in 2022, has become outdated. As a result, the firmware on every vulnerable device has reached its end-of-life (EOL).

This means that these devices will no longer receive updates or support, leaving them open to potential security risks and vulnerabilities.

It is important to note that attackers have been on the lookout for firmware and end-of-life (EOL) devices from various technology vendors.

This particular vulnerability has been exploited with the purpose of targeting a specific group of companies, mostly located in South Asia, as reported by Sophos.

Web admin Portals

It is crucial for organizations to take steps to ensure the security of their User Portal and Web admin, by preventing their exposure to the Wide Area Network (WAN).

For remote access and management, it is advisable to utilize either VPN or Sophos Central (which is the recommended choice). To adhere to device access best practices, it is recommended by Sophos to disable WAN access to the User Portal and Webadmin.

The hotfix installation is automatically enabled by default. Follow these steps to confirm this setting:

  • Go to Backup & firmware > Firmware > Hotfix.
  • Turn on Allow automatic installation of hotfixes.
  • Click Apply.

If hotfixes are enabled, but you are not getting them, check the connectivity requirements for the Up2Date component on Sophos Firewall: Default services.

To verify the hotfix
To verify the hotfix

It is crucial for organizations to stay vigilant and take necessary measures to protect their systems and data from potential attacks.

Latest articles

Threat Actor IntelBroker Claims Leak of Nokia’s Source Code

The threat actor known as IntelBroker, in collaboration with EnergyWeaponUser, has claimed responsibility for...

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a...

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals...

Sophisticated Phishing Attack Targeting Ukraine Military Sectors

The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Threat Actor IntelBroker Claims Leak of Nokia’s Source Code

The threat actor known as IntelBroker, in collaboration with EnergyWeaponUser, has claimed responsibility for...

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a...

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals...