CVE-2022-3713 is a code injection vulnerability identified in the WiFi controller component of Sophos Firewall devices running versions older than 19.5 GA. This vulnerability is classified under CWE-94, which pertains to improper control of code injection, allowing an attacker to inject and execute arbitrary code. The flaw specifically enables an adjacent attacker—meaning someone with network proximity, such as being on the same local network segment—to exploit the vulnerability without requiring authentication or user interaction. By leveraging this vulnerability, an attacker could execute arbitrary code within the WiFi controller process, potentially gaining control over the firewall's WiFi management functions. This could lead to unauthorized access, manipulation of network traffic, or disruption of wireless services. The vulnerability was publicly disclosed on December 1, 2022, and while no known exploits have been reported in the wild, the risk remains significant given the critical role of firewalls in network security. The lack of a CVSS score necessitates an independent severity assessment based on the impact on confidentiality, integrity, and availability, ease of exploitation, and scope of affected systems. Sophos Firewall is widely deployed in enterprise and organizational environments, often serving as a key security perimeter device. The WiFi controller module is integral for managing wireless access points and traffic, so compromise here could undermine the overall network security posture.

For European organizations, exploitation of this vulnerability could have serious consequences. Sophos Firewall devices are commonly used across various sectors including government, finance, healthcare, and critical infrastructure. Successful code injection could allow attackers to bypass firewall protections, intercept or manipulate sensitive data, and disrupt wireless network availability. This could lead to data breaches, loss of confidentiality, and operational downtime. Given the adjacency requirement, attackers would need to be on the same local network or connected via compromised devices, which is plausible in scenarios such as insider threats, compromised guest networks, or targeted attacks within corporate environments. The impact is amplified in environments where wireless access is critical for business operations or where segmented networks rely on the firewall for isolation. Additionally, disruption or manipulation of WiFi services could affect remote work capabilities and IoT device connectivity, both increasingly important in European enterprises. The absence of known exploits suggests that proactive patching and mitigation can effectively reduce risk before active exploitation occurs.

1. Immediate upgrade of all Sophos Firewall devices to version 19.5 GA or later, where this vulnerability is addressed, is the most effective mitigation. 2. If immediate patching is not feasible, restrict access to the WiFi controller interface by implementing network segmentation and access control lists (ACLs) to limit adjacency exposure. 3. Monitor network traffic for unusual activity on the WiFi controller ports and interfaces, employing intrusion detection/prevention systems (IDS/IPS) tuned to detect anomalous code injection attempts. 4. Enforce strict wireless network security policies, including strong authentication and isolation of guest or untrusted wireless clients to reduce the risk of adjacent attackers. 5. Conduct regular security audits and vulnerability scans specifically targeting firewall devices to identify outdated versions and configuration weaknesses. 6. Educate network administrators about the risks of adjacent network attacks and encourage timely application of security updates. 7. Utilize network segmentation to isolate critical systems from wireless networks managed by the firewall to minimize the blast radius in case of compromise.