A code injection vulnerability allowing remote code execution discovered in the User Portal and Webadmin of Sophos Firewall. The vulnerability has been fixed. No action is required for Sophos Firewall customers with the "Allow automatic installation of hotfixes" feature enabled on remediated versions.

Sophos has observed this vulnerability being used in the wild. Three of the vulnerabilities patched in Sophos Firewall 19.5 have a ‘high’ severity rating, including CVE-2022-3226, an OS command injection issue that can be exploited by an attacker with admin privileges to execute code via SSL VPN configuration uploads.

CVE-2022-3713 allows an adjacent attacker to execute code in the Wi-Fi controller. The third high-severity issue, CVE-2022-3696, allows a hacker with admin privileges to execute malicious code in the web-based administrative interface. The remaining three vulnerabilities have medium or low severity.

Successful compromise of these vulnerabilities my impacting data loss, service disruption, development of ransomware or other malware and lateral movement of the attacker.