Open Briefing
A concise, technical teardown of a current threat affecting Australian infrastructure.
AdvisorySophos Firewall Pre-auth RCE (CVE-2022-3236)
June 2026 update — remains in CISA KEV; active exploitation observed in Australia.
Sophos Firewall v18.5 / v19.0 MR3 and earlier allow unauthenticated remote code execution via crafted HTTP requests to the web-admin portal. Exploitation does not require authentication, valid sessions, or user interaction. Successful exploitation results in OS-level command execution as the root equivalent service account.
The vulnerability is triggered through a stack-based buffer overflow in the cef component due to improper bounds checking prior to HTTP response parsing. Exploit kits and PoC scripts are publicly available. Patch to v19.0.4 or later, and ensure the web-admin interface is not Internet-facing.
Australian exposure: ACSC has previously published advisory guidance for Sophos Firewall. Any Australia-facing appliance still on the affected branch should be treated as a mandatory patching priority.
This briefing is for authorised educational use only. Unauthorised testing is a criminal offence.