CVE-2025-7624
📋 TL;DR
An SQL injection vulnerability in Sophos Firewall's legacy SMTP proxy allows remote attackers to execute arbitrary code on affected systems. This affects Sophos Firewall versions older than 21.0 MR2 when upgraded from pre-21.0 versions with active email quarantining policies. Attackers can potentially gain full control of the firewall device.
💻 Affected Systems
- Sophos Firewall
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote unauthenticated attacker gains root access to the firewall, enabling complete network compromise, data exfiltration, and lateral movement into internal networks.
Likely Case
Remote code execution leading to firewall compromise, credential theft, network traffic interception, and installation of persistent backdoors.
If Mitigated
Limited impact if email quarantining is disabled or systems are not internet-facing, though internal exploitation risk remains.
🎯 Exploit Status
SQL injection to RCE chain is well-documented in similar firewall vulnerabilities. Public exploit likely to emerge given high CVSS score and RCE impact.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 21.0 MR2 (21.0.2) or later
Vendor Advisory: https://www.sophos.com/en-us/security-advisories/sophos-sa-20250721-sfos-rce
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Download and install Sophos Firewall version 21.0.2 or later from Sophos Central or support portal. 3. Reboot the firewall after installation. 4. Verify successful upgrade in System > Administration > Overview.
🔧 Temporary Workarounds
Disable Email Quarantining
allTemporarily disable email quarantining policies to prevent exploitation
Navigate to: Protect > Email > Policies > Edit policy > Disable 'Quarantine' option
Disable Legacy SMTP Proxy
allSwitch to the new SMTP proxy if available in your version
Navigate to: Protect > Email > SMTP > Switch to 'New SMTP proxy' if option available
🧯 If You Can't Patch
- Immediately disable email quarantining policies on all vulnerable firewalls
- Implement strict network segmentation to isolate vulnerable firewalls from critical assets
🔍 How to Verify
Check if Vulnerable:
Check if: 1) SFOS version < 21.0.2, 2) System was upgraded from pre-21.0 version, 3) Email quarantining is enabled in any policyCheck Version:
ssh admin@firewall 'cat /etc/sfos_version' or check via web interfaceVerify Fix Applied:
Verify SFOS version is 21.0.2 or higher in System > Administration > Overview📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in firewall logs
- Unexpected process execution in system logs
- Email proxy service crashes or restarts
Network Indicators:
- Unusual outbound connections from firewall to unknown IPs
- SMTP traffic patterns deviating from normal baseline
SIEM Query:
source="sophos_firewall" AND (event_type="sql_error" OR process="unexpected_executable")