UK-based cybersecurity firm Sophos released security patches for an RCE vulnerability in end-of-life (EOL) firewall firmware addressed in September 2022 after it learned that the vulnerability has been actively exploited in the wild.

The said flaw, tracked as CVE-2022-3236, is a code injection issue stemming from improper input validation in the User Portal and Webadmin interfaces of Sophos Firewall. It can be exploited for remote code execution via a malicious request. The issue affects Sophos Firewall v19.0 MR1 (19.0.1) and older.

“A code injection vulnerability allowing remote code execution was discovered in the User Portal and Webadmin of Sophos Firewall. The vulnerability was originally fixed in September 2022. In December 2023, we delivered an updated fix after identifying new exploit attempts against this same vulnerability in older, unsupported versions of the Sophos Firewall,” the company said, noting that no action is required for organizations that upgraded their firewalls to a supported firmware version after September 2022.

In an advisory published in September, Sophos revealed that CVE-2022-3236 was in attacks targeting a small set of specific organizations, primarily in the South Asia region. In August, the vendor disclosed another zero-day (CVE-2022-1040) in the same component, which was also used in attacks targeting organizations in South Asia.