Scanner gratuitement
CRITICALCVE-2025-7624CVSS 9.8

An SQL injection vulnerability in the legacy (transparent) SMTP proxy of Sophos Firewall versions older than 21.0 MR2 (21.0.2) can lead to remote code execution, if a quarantining policy is active for

traduction en cours…

Plateforme

sophos

Composant

sophos-firewall

Corrigé dans

21.0 MR2 (21.0.2)

AI Confidence: highNVDEPSS 0.3%Révisé: mai 2026
Voir sur NVD
Sauvegarder
Traduction vers votre langue…

CVE-2025-7624 describes a critical SQL injection vulnerability discovered in the legacy (transparent) SMTP proxy of Sophos Firewall. Successful exploitation, particularly when a quarantining policy is active for Email and the firewall has been upgraded from a version older than 21.0 GA, can result in remote code execution. This vulnerability impacts Sophos Firewall versions prior to 21.0 MR2 (21.0.2), and a fix is available in version 21.0 MR2 (21.0.2).

Impact et Scénarios d'Attaquetraduction en cours…

The SQL injection vulnerability in Sophos Firewall allows an attacker to inject malicious SQL code into the SMTP proxy's query processing. If a quarantining policy is enabled for email and the firewall was upgraded from a version before 21.0 GA, this injected code can be leveraged to execute arbitrary commands on the firewall itself. This represents a significant escalation of privilege, potentially granting the attacker full control over the firewall and any systems behind it. The impact extends beyond the firewall itself, as a compromised firewall can be used as a pivot point to attack internal network resources, leading to widespread data breaches and system compromise. The ability to execute code directly on the firewall bypasses typical network defenses and makes detection considerably more challenging.

Contexte d'Exploitationtraduction en cours…

CVE-2025-7624 was publicly disclosed on 2025-07-21. The vulnerability's critical CVSS score and the potential for remote code execution suggest a high probability of exploitation. While no public proof-of-concept (PoC) code has been released at the time of writing, the ease of SQL injection exploitation often leads to rapid PoC development and potential inclusion in exploit kits. It is not currently listed on CISA KEV, but its severity warrants close monitoring. Active campaigns targeting Sophos Firewall are not currently confirmed, but the vulnerability's profile makes it an attractive target.

Qui Est à Risquetraduction en cours…

Organizations relying on Sophos Firewall for email security, particularly those with active email quarantining policies and legacy firewall deployments (versions older than 21.0 GA), are at significant risk. Shared hosting environments where multiple customers share a single Sophos Firewall instance are also vulnerable, as a compromise of one customer's email could potentially impact others.

Étapes de Détectiontraduction en cours…

• sophos: Examine Sophos Firewall logs for unusual SQL query patterns, specifically targeting the SMTP proxy. Look for queries containing SQL keywords like UNION, SELECT, INSERT, UPDATE, or DELETE.

Get-SophosFirewallLog -LogType 'SQLInjection' -StartTime (Get-Date).AddDays(-7)

• linux / server: Monitor system logs (e.g., /var/log/syslog, /var/log/messages) for suspicious processes or network connections originating from the Sophos Firewall. Use lsof or ss to identify processes listening on unusual ports or connecting to unexpected destinations.

lsof -i :25 | grep sophos

• generic web: If the SMTP proxy is exposed externally, use curl or wget to probe for potential injection points. Examine response headers for unexpected SQL error messages.

curl -H "X-Custom-Header: '; DROP TABLE users; --" http://sophosfirewall/smtp_proxy

Chronologie de l'Attaque

  1. Disclosure

    disclosure

Renseignement sur les Menaces

Statut de l'Exploit

Preuve de ConceptInconnu
CISA KEVNO
Exposition InternetÉlevée

EPSS

0.33% (percentile 56%)

CISA SSVC

Exploitationnone
Automatisableyes
Impact Techniquetotal

Vecteur CVSS

RENSEIGNEMENT SUR LES MENACES· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H9.8CRITICALAttack VectorNetworkComment l'attaquant atteint la cibleAttack ComplexityLowConditions requises pour exploiterPrivileges RequiredNoneNiveau d'authentification requisUser InteractionNoneSi une action de la victime est requiseScopeUnchangedImpact au-delà du composant affectéConfidentialityHighRisque d'exposition de données sensiblesIntegrityHighRisque de modification non autorisée de donnéesAvailabilityHighRisque d'interruption de servicenextguardhq.com · Score de base CVSS v3.1
Que signifient ces métriques?
Attack Vector
Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
Attack Complexity
Faible — aucune condition spéciale requise. Exploitable de manière fiable.
Privileges Required
Aucun — sans authentification. Aucune identifiant requis pour exploiter.
User Interaction
Aucune — attaque automatique et silencieuse. La victime ne fait rien.
Scope
Inchangé — impact limité au composant vulnérable.
Confidentiality
Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
Integrity
Élevé — l'attaquant peut écrire, modifier ou supprimer toutes les données.
Availability
Élevé — panne complète ou épuisement des ressources. Déni de service total.

Logiciel Affecté

Composantsophos-firewall
FournisseurSophos
Plage affectéeCorrigé dans
0 – 21.0 MR2 (21.0.2)21.0 MR2 (21.0.2)

Classification de Faiblesse (CWE)

CWE-89

Chronologie

  1. Réservé
  2. Publiée
  3. EPSS mis à jour

Mitigation et Contournementstraduction en cours…

The primary mitigation for CVE-2025-7624 is to immediately upgrade Sophos Firewall to version 21.0 MR2 (21.0.2) or later. If an immediate upgrade is not feasible due to compatibility concerns or testing requirements, consider temporarily disabling the legacy (transparent) SMTP proxy feature. While this will impact email functionality, it will significantly reduce the attack surface. As a further precaution, review and tighten email quarantining policies to minimize the potential impact of a successful SQL injection attempt. Monitor firewall logs for unusual SQL query patterns that might indicate an ongoing attack. Sophos has not released specific WAF rules, but generic SQL injection detection rules can be applied.

Comment corrigertraduction en cours…

Actualice Sophos Firewall a la versión 21.0 MR2 (21.0.2) o posterior. Esto solucionará la vulnerabilidad de inyección SQL en el proxy SMTP heredado. Asegúrese de que la política de cuarentena de correo electrónico esté activa.

Newsletter Sécurité CVE

Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.

Questions fréquentestraduction en cours…

What is CVE-2025-7624 — SQL Injection in Sophos Firewall?

CVE-2025-7624 is a critical SQL injection vulnerability affecting Sophos Firewall versions prior to 21.0 MR2 (21.0.2). Exploitation can lead to remote code execution if quarantining policies are active and the firewall was upgraded from an older version.

Am I affected by CVE-2025-7624 in Sophos Firewall?

If you are running Sophos Firewall versions 0–21.0 MR2 (21.0.2) and have active email quarantining policies, you are potentially affected by this vulnerability. Upgrade immediately.

How do I fix CVE-2025-7624 in Sophos Firewall?

Upgrade your Sophos Firewall to version 21.0 MR2 (21.0.2) or later. If an upgrade is not immediately possible, temporarily disable the legacy SMTP proxy feature.

Is CVE-2025-7624 being actively exploited?

While no active campaigns have been confirmed, the vulnerability's severity and potential impact suggest a high likelihood of exploitation. Monitor your firewall closely.

Where can I find the official Sophos advisory for CVE-2025-7624?

Refer to the official Sophos Security Advisory for CVE-2025-7624 on the Sophos website (link to advisory would be here if available).

Ton projet est-il affecté ?

Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.

Scanner gratuitementRechercher des CVE