Sophos is a well-known solution on the market in the security area, it is in fact one of the best positioned. Its All In One Universal Threat Management (UTM) solution recently presented a SQL injection vulnerability, one of the vulnerabilities that can cause the most damage in terms of information confidentiality, since if it is exploited, entire databases with user and password hashes, even though the passwords are hashed, if they are weak the hash can be easily broken by a brute force attack.
This vulnerability is cataloged as CVE-2022-0386, discovered by Sophos itself during an internal security test. SQL injection is found in the Mail Manager component.
Sophos has released the update with the corresponding patch for this vulnerability, earlier this month, if you do not have the latest update or do not use the latest version of this solution, you should update to version 9.710 which has this patch with the required security patch.
The same update also removes other vulnerabilities present in UTM such as the outdated SSL VPN client, or CVE-2022-0652 which allows password hashes to be written to system log files.