Platform
sophos
Component
sophos-firewall
Opgelost in
21.0 MR2 (21.0.2)
CVE-2025-7624 describes a critical SQL injection vulnerability discovered in the legacy (transparent) SMTP proxy of Sophos Firewall. Successful exploitation, particularly when a quarantining policy is active for Email and the firewall has been upgraded from a version older than 21.0 GA, can result in remote code execution. This vulnerability impacts Sophos Firewall versions prior to 21.0 MR2 (21.0.2), and a fix is available in version 21.0 MR2 (21.0.2).
The SQL injection vulnerability in Sophos Firewall allows an attacker to inject malicious SQL code into the SMTP proxy's query processing. If a quarantining policy is enabled for email and the firewall was upgraded from a version before 21.0 GA, this injected code can be leveraged to execute arbitrary commands on the firewall itself. This represents a significant escalation of privilege, potentially granting the attacker full control over the firewall and any systems behind it. The impact extends beyond the firewall itself, as a compromised firewall can be used as a pivot point to attack internal network resources, leading to widespread data breaches and system compromise. The ability to execute code directly on the firewall bypasses typical network defenses and makes detection considerably more challenging.
CVE-2025-7624 was publicly disclosed on 2025-07-21. The vulnerability's critical CVSS score and the potential for remote code execution suggest a high probability of exploitation. While no public proof-of-concept (PoC) code has been released at the time of writing, the ease of SQL injection exploitation often leads to rapid PoC development and potential inclusion in exploit kits. It is not currently listed on CISA KEV, but its severity warrants close monitoring. Active campaigns targeting Sophos Firewall are not currently confirmed, but the vulnerability's profile makes it an attractive target.
Organizations relying on Sophos Firewall for email security, particularly those with active email quarantining policies and legacy firewall deployments (versions older than 21.0 GA), are at significant risk. Shared hosting environments where multiple customers share a single Sophos Firewall instance are also vulnerable, as a compromise of one customer's email could potentially impact others.
• sophos: Examine Sophos Firewall logs for unusual SQL query patterns, specifically targeting the SMTP proxy. Look for queries containing SQL keywords like UNION, SELECT, INSERT, UPDATE, or DELETE.
Get-SophosFirewallLog -LogType 'SQLInjection' -StartTime (Get-Date).AddDays(-7)• linux / server: Monitor system logs (e.g., /var/log/syslog, /var/log/messages) for suspicious processes or network connections originating from the Sophos Firewall. Use lsof or ss to identify processes listening on unusual ports or connecting to unexpected destinations.
lsof -i :25 | grep sophos• generic web: If the SMTP proxy is exposed externally, use curl or wget to probe for potential injection points. Examine response headers for unexpected SQL error messages.
curl -H "X-Custom-Header: '; DROP TABLE users; --" http://sophosfirewall/smtp_proxydisclosure
Exploit Status
EPSS
0.33% (56% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-7624 is to immediately upgrade Sophos Firewall to version 21.0 MR2 (21.0.2) or later. If an immediate upgrade is not feasible due to compatibility concerns or testing requirements, consider temporarily disabling the legacy (transparent) SMTP proxy feature. While this will impact email functionality, it will significantly reduce the attack surface. As a further precaution, review and tighten email quarantining policies to minimize the potential impact of a successful SQL injection attempt. Monitor firewall logs for unusual SQL query patterns that might indicate an ongoing attack. Sophos has not released specific WAF rules, but generic SQL injection detection rules can be applied.
Actualice Sophos Firewall a la versión 21.0 MR2 (21.0.2) o posterior. Esto solucionará la vulnerabilidad de inyección SQL en el proxy SMTP heredado. Asegúrese de que la política de cuarentena de correo electrónico esté activa.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-7624 is a critical SQL injection vulnerability affecting Sophos Firewall versions prior to 21.0 MR2 (21.0.2). Exploitation can lead to remote code execution if quarantining policies are active and the firewall was upgraded from an older version.
If you are running Sophos Firewall versions 0–21.0 MR2 (21.0.2) and have active email quarantining policies, you are potentially affected by this vulnerability. Upgrade immediately.
Upgrade your Sophos Firewall to version 21.0 MR2 (21.0.2) or later. If an upgrade is not immediately possible, temporarily disable the legacy SMTP proxy feature.
While no active campaigns have been confirmed, the vulnerability's severity and potential impact suggest a high likelihood of exploitation. Monitor your firewall closely.
Refer to the official Sophos Security Advisory for CVE-2025-7624 on the Sophos website (link to advisory would be here if available).
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.