On 11 December 2023, Sophos reported exploitation attempts targeting end-of-life (EOL) instances vulnerable to a User Portal and Webadmin of Sophos Firewall code injection vulnerability fixed in September 2022 (CVE-2022-3236). Attacks in the wild have been observed against versions 19.0.1 and older.
Sophos recommends re-enabling auto-update to roll out the September 2022 fix for EOL instances or upgrading manually. However, Sophos User Portal users are vulnerable only if their instance is exposed to the wide area network. Potential workarounds include preventing such exposure.