I’ll keep this short and practical. If Sophos Connect for Mac 1.4 shows up on your scan with multiple CVEs, you need to confirm what’s flagged, why it’s flagged, and whether you can safely remove or mitigate the client until a proper patch arrives. Below I list what you will see, where it happens, how I investigate root cause, the sensible fixes and temporary workarounds, and how to verify the remediation.
What you see
Your scanner will list Sophos Connect and show CVE identifiers against the installed package. Typical detections include:
- CVE-2022-4901
- CVE-2022-48310
- CVE-2022-48309
A sample scanner line looks like:
“Detected: Sophos Connect 1.4 — CVE-2022-48310 (high) — vulnerable component: [library name/version]”.
On macOS a quick check shows the installed app version. Run:
mdls -name kMDItemVersion -raw /Applications/Sophos\ Connect.app
Expected if patched: 2.x (per vendor guidance). Actual on affected hosts: 1.4.
Confirm running components with:
ps aux | grep -i ‘Sophos Connect’
and
sudo lsof -nP | grep -i ‘Sophos Connect’
If the scanner reports a vulnerable library, note the library name and path from the scan output. Keep the exact plugin ID or rule name from the scanner. That string is what you will use in support requests and when searching release notes.
Where it happens
This is a client-side issue on macOS endpoints running Sophos Connect 1.4. It appears when the client bundles or links to components that match known CVEs. The problem shows up in standard vulnerability scanners such as Nessus, Qualys, or any SCA that inspects installed binaries and libraries.
Common environments affected:
- Laptops and desktops with Sophos Connect 1.4 installed.
- Any Mac that has had the client installed historically, even if not actively used.
- Images or gold images that include Sophos Connect.
Scanners flag the package during passive or active scans. The detection can be local (scanner agent on the Mac) or remote (credentialed scan that reads installed packages). Users report scans changing severity depending on the scanner signature. That makes verification important; do not rely on a single scan result.
Find the cause
Start by mapping which binary or library triggers the CVE. Use these commands on the Mac:
List app version:
mdls -name kMDItemVersion -raw /Applications/Sophos\ Connect.app
Find linked libraries:
otool -L /Applications/Sophos\ Connect.app/Contents/MacOS/Sophos\ Connect
Search for shipped libraries:
find /Applications/Sophos\ Connect.app -type f -name ‘.dylib’ -or -name ‘.so’ -print
Compare what the scanner reports with the output of otool and find. Sample expected vs actual:
- Expected: no vulnerable lib XYZ or patched XYZ v2.0.0
- Actual: libXYZ v1.0.0 present in App bundle
If the CVEs reference third-party components, the root cause is the bundled component, not macOS itself. If the scanner points to a package name but you cannot find the library on disk, the scanner may be using a fingerprint or advisory that produces false positives. Record exact scanner output and timestamp. Use that when you contact Sophos support.
Check release notes and vendor advisories. Look for the release note that mentions CVE-2022-48310 or the 2.x branch. Log the support case number and any vendor reply. I keep quoted lines from vendor support in the ticket so there is no ambiguity.
Fix
Vendor path
- Follow Sophos guidance. Reports say Sophos recommends upgrading to a 2.x branch to remediate these CVEs. If you have a 2.x Mac build available through Sophos, plan a staged upgrade. If no Mac 2.x is published, open a support case and ask for a Mac-specific patch or ETA, quoting the scanner output.
Practical patching steps
- If a Mac 2.x installer is available: test on a single device, confirm functionality, then roll out via your software distribution tool.
- After upgrade, re-run the scanner and confirm CVEs no longer appear.
Workarounds while waiting for a proper software upgrade
- Disable the Sophos Connect client when not required for remote access. Do not remove endpoint protection unless policy allows it.
- Use an alternative, approved VPN client if your security policy permits. Export and import VPN configuration as required.
- Restrict the Macs that run the client to a smaller group until it is patched.
Safe temporary disable steps (practical commands)
- Quit the app from the menu bar or run:
osascript -e ‘tell application “Sophos Connect” to quit’ - Kill stubborn processes:
sudo pkill -f ‘Sophos Connect’ - Stop active VPN connection via network control:
scutil –nc list
scutil –nc stop ““
Note: do not unload unrelated Sophos endpoint services. Removing endpoint protection can expose the device. Only disable Sophos Connect if remote access is the specific risk vector and your policy permits removal for short windows.
Check it’s fixed
Verification steps
- Re-run the same scanner that reported the issue, using the same credentials and scan policy. Compare the exact plugin ID and rule name. If the CVE no longer appears, record the scan ID and timestamp.
- Confirm app version:
mdls -name kMDItemVersion -raw /Applications/Sophos\ Connect.app - Confirm offending libraries are gone or upgraded:
otool -L /Applications/Sophos\ Connect.app/Contents/MacOS/Sophos\ Connect
find /Applications/Sophos\ Connect.app -type f -name ‘*.dylib’ -exec strings {} \; | grep -i ‘‘
Log checks
- Use macOS unified logging to look for connection or client errors:
log show –predicate ‘process == “Sophos Connect”‘ –last 1d
Ongoing monitoring
- Add the package and CVE signatures to your asset inventory and vulnerability dashboard. Track new advisories from Sophos release notes for CVE-2022-48310 and the related IDs.
- If the scanner continues to flag the CVE after upgrade, collect the scanner output, the file path, file hash, and vendor response. That information is what Sophos needs to mark the finding as resolved or to provide a targeted patch.
Root cause and remediation summary
- The CVEs point to components bundled with Sophos Connect, not to macOS itself. The recommended remediation is a software upgrade to the vendor’s patched build. If a Mac-specific 2.x is not available, use the temporary mitigations above, and escalate to Sophos support with exact scanner output and the device artifacts you collected.
If you want, send me the scanner output and mdls/otool outputs and I will look for the exact file the scanner flags.
