CVE REFERENCE | CRITICAL VULNERABILITY
Active ThreatUpdated 9 min read

CVE-2022-3236: Sophos Firewall Code Injection Zero-Day

A critical unauthenticated code injection in Sophos Firewall's User Portal and Webadmin, exploited as a zero-day by a Chinese APT to intercept network traffic and plant persistent backdoors across South Asian targets

9.8
CVSS Score
0-day
Exploited before disclosure
Chinese APT
Attributed threat actor
Auto-hotfix
Delivery method (caveats apply)

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

CVE-2022-3236 is a critical unauthenticated code injection vulnerability in the User Portal and Webadmin interfaces of Sophos Firewall (formerly XG Firewall), disclosed in September 2022 and already being exploited as a zero-day at time of disclosure. Volexity's threat research attributed the campaign to a Chinese APT cluster they track as Storm Cloud, which used the vulnerability to achieve root-level code execution on internet-facing firewall appliances in South and Southeast Asian organizations. Post-exploitation activity included traffic interception, credential harvesting, and deployment of persistent backdoors designed to survive standard firmware upgrades.

Vulnerability Details: User Portal and Webadmin Injection

Sophos Firewall (SFOS) exposes two web interfaces: the User Portal (for VPN user self-service, typically accessible from the internet on port 443 or 4444) and Webadmin (the administrative interface). Both process user-supplied HTTP request parameters as part of their functionality.

CVE-2022-3236 exists in a component shared by both interfaces that failed to adequately sanitize certain request parameters before passing them to OS-level functions. An unauthenticated attacker can inject OS commands through these parameters, which execute as root on the underlying Sophos Firewall Linux appliance (SFOS is a hardened Linux distribution).

Root-level RCE on the firewall appliance grants complete control: modification of firewall rules, packet capture of all passing traffic, access to VPN credential stores, and the ability to plant persistence mechanisms at any level of the OS.

Storm Cloud APT Campaign: Backdoors and Traffic Interception

Volexity's investigation revealed a sophisticated multi-stage compromise framework deployed by Storm Cloud following initial CVE-2022-3236 exploitation:

Asnarök variant: A modified version of the Asnarök malware family (previously used in the 2020 Sophos XG zero-day campaign) was deployed for persistence. The malware writes to partition locations not covered by standard Sophos integrity checking, surviving firmware upgrades.

Traffic interception: Attackers modified iptables rules and deployed packet capture tooling on the compromised firewall to intercept all decrypted traffic passing through it, including VPN sessions, which the firewall terminates and re-encrypts.

Credential harvesting: VPN credentials of users authenticating through the compromised appliance were captured from the decrypted traffic stream.

Lateral movement: Using harvested credentials, Storm Cloud moved laterally to internal network systems accessible via VPN, deploying Gh0st RAT and the TSTRAT backdoor on Windows endpoints.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Attack Chain

Storm Cloud's exploitation and post-compromise sequence:

1

Identify Internet-Exposed Management Interface

Scan for Sophos Firewall User Portal or Webadmin interfaces accessible from the internet; common ports are 443 and 4444 depending on configuration.

2

Unauthenticated Code Injection

Send crafted HTTP request with injected OS commands in vulnerable parameters; commands execute as root on the Sophos Firewall Linux appliance without any authentication.

3

Asnarök Persistence Installed

Deploy Asnarök-variant backdoor to persistent storage locations outside the standard SFOS integrity check coverage; backdoor survives standard firmware upgrade.

4

Traffic Interception Enabled

Modify iptables rules and deploy packet capture to intercept all traffic flowing through the firewall, including decrypted VPN sessions and internal communications.

5

Lateral Movement and RAT Deployment

Use harvested VPN credentials to access internal network; deploy Gh0st RAT and TSTRAT backdoor on internal Windows endpoints for persistent espionage access.

Indicators of Compromise

Known artifacts from CVE-2022-3236 exploitation and the Storm Cloud campaign:

Subscribe to unlock Indicators of Compromise

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Remediation

Steps in order of urgency:

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

CVE-2022-3236 is the third Sophos Firewall zero-day attributed to Chinese APT actors within two years, preceded by CVE-2020-12271 in 2020 and CVE-2022-1040 earlier in 2022. This pattern indicates persistent, dedicated vulnerability research into Sophos Firewall products by well-resourced threat actors who consider the platform a high-value intelligence access point. Organizations using Sophos Firewall must treat management interface isolation as a critical architectural requirement, not an optional hardening measure, and should apply patches with the same urgency applied to any internet-facing perimeter device.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

Is CVE-2022-3236 the same as the 2020 Sophos XG Firewall zero-day?

No. The 2020 campaign exploited CVE-2020-12271 (SQL injection RCE via a different attack surface). CVE-2022-3236 is a separate code injection vulnerability. However, both campaigns deployed variants of the Asnarök malware and share infrastructure patterns consistent with the same Chinese APT cluster, suggesting persistent research investment in Sophos Firewall exploitation.

Did the automatic Sophos hotfix protect all customers?

No. Sophos's automatic hotfix delivery requires outbound internet connectivity from the firewall to Sophos update servers. Devices on air-gapped networks or with restricted outbound connectivity did not receive the automatic update and required manual hotfix installation, a gap that left many enterprise deployments exposed beyond the initial patch window.

Should we consider a factory reset even after applying the hotfix?

Yes, if your device was internet-exposed before the hotfix was applied. Volexity's research confirmed that the Asnarök-variant malware deployed by Storm Cloud modifies the Sophos Firewall Linux base in ways that survive standard firmware upgrades. A factory reset to a verified clean base image followed by the current patched firmware is the only reliable remediation if compromise is suspected.

What is Asnarök malware and why does it survive standard Sophos Firewall firmware upgrades?

Asnarök is a Chinese APT-developed persistent backdoor specifically designed for Sophos Firewall (XG/SFOS) appliances. It was first observed in the 2020 Sophos XG zero-day campaign (CVE-2020-12271) and re-used with modifications in the CVE-2022-3236 campaign. Asnarök survives firmware upgrades by writing its components to persistent storage partitions on the Sophos Firewall appliance that are outside the scope of SFOS's firmware integrity verification and update process. When SFOS upgrades its protected partitions, Asnarök remains in the unmonitored storage and reattaches to the updated system. This is a deliberate design decision by the malware authors to achieve persistence that outlasts the standard remediation an administrator would attempt after detecting the initial compromise.

Were other Sophos Firewall zero-days exploited by the same APT cluster before CVE-2022-3236?

Yes. The Chinese APT cluster tracked by Volexity as Storm Cloud exploited two earlier Sophos Firewall zero-days before CVE-2022-3236. [CVE-2020-12271](https://nvd.nist.gov/vuln/detail/CVE-2020-12271) (patched April 2020) was an unauthenticated SQL injection vulnerability exploited to deploy Asnarök malware for the first time. [CVE-2022-1040](https://nvd.nist.gov/vuln/detail/CVE-2022-1040) (patched March 2022, patched while being actively exploited) was a pre-authentication code execution vulnerability in the Sophos Firewall User Portal and Webadmin. CVE-2022-3236 (September 2022) is the third Sophos Firewall zero-day in roughly 30 months attributed to the same actor cluster, indicating sustained, dedicated investment in researching Sophos Firewall as an espionage access point.

How do I verify whether my Sophos Firewall received the September 2022 automatic hotfix?

Log in to the Sophos Firewall Webadmin interface and navigate to System > Diagnostics > System information. Look for the hotfix status section which lists installed hotfixes with dates. The CVE-2022-3236 hotfix should appear as hotfix 'HF119814' or the equivalent for your SFOS version. Alternatively, check Sophos KB000045839 for the specific hotfix identifiers and verification steps for each affected SFOS version. If the hotfix is not listed, your device did not receive the automatic update and requires manual hotfix installation or upgrade to SFOS 19.5 MR3 or later.

Sources & references

  1. Sophos Security Advisory SFOS RCE, SA-20220923
  2. Volexity, Storm Cloud Exploiting Sophos Firewall Zero-Day
  3. CISA Alert, Sophos Firewall Vulnerability

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.