CVE-2024-12727: Sophos Firewall Firmware SQLI Vulnerability

CVE-2024-12727 Overview

CVE-2024-12727 is a pre-authentication SQL injection vulnerability in the email protection feature of Sophos Firewall. The flaw affects versions older than 21.0 MR1 (21.0.1) and allows unauthenticated attackers to access the reporting database over the network. Under specific conditions, the vulnerability can escalate to remote code execution. Exploitation requires the firewall to run in High Availability (HA) mode with a particular Secure PDF eXchange (SPX) configuration enabled. The vulnerability is tracked under [CWE-89] (Improper Neutralization of Special Elements used in an SQL Command).

Critical Impact

Unauthenticated network attackers can read the reporting database and, with a specific SPX and HA configuration, achieve remote code execution on the firewall.

Affected Products

• Sophos Firewall Firmware versions older than 21.0 MR1 (21.0.1)
• Sophos Firewall appliances running affected firmware
• Deployments with Secure PDF eXchange (SPX) enabled in High Availability (HA) mode

Discovery Timeline

• 2024-12-19 - CVE-2024-12727 published to NVD
• 2024-12-19 - Sophos publishes security advisory sophos-sa-20241219-sfos-rce
• 2025-11-12 - Last updated in NVD database

Technical Details for CVE-2024-12727

Vulnerability Analysis

The vulnerability resides in the email protection component of Sophos Firewall. Attacker-controlled input reaches a SQL query without proper sanitization or parameterization. Because the affected endpoint is reachable prior to authentication, attackers do not need valid credentials to send malicious payloads. Successful injection grants direct query access to the reporting database used by the firewall.

Read access alone discloses sensitive operational data, including logged events, reporting metadata, and potentially credentials or tokens stored within the schema. When the firewall runs in High Availability mode and a specific Secure PDF eXchange configuration is active, the SQL injection chain can be leveraged to execute arbitrary code on the appliance. This elevates the issue from data disclosure to full device compromise.

Root Cause

The root cause is improper neutralization of user-supplied input within an SQL statement processed by the email protection feature [CWE-89]. The affected code path constructs queries using untrusted data without using prepared statements or strict input validation. The pre-authentication exposure of this endpoint compounds the severity by removing any access barrier.

Attack Vector

The attack vector is network-based and requires no privileges or user interaction. An attacker sends a crafted request to the email protection interface of an affected Sophos Firewall. The injected SQL executes against the reporting database, returning data or, in vulnerable HA + SPX configurations, triggering follow-on logic that results in remote code execution. The EPSS score of 3.123% (86.996 percentile) reflects elevated exploitation likelihood relative to the broader CVE population.

No verified public proof-of-concept code is available at the time of writing. The vulnerability mechanism is described in prose; refer to the Sophos Security Advisory for vendor-confirmed technical details.

Detection Methods for CVE-2024-12727

Indicators of Compromise

• Unexpected inbound HTTP/HTTPS requests to the email protection interface from untrusted sources prior to authentication
• Anomalous queries or error entries in firewall reporting database logs containing SQL syntax artifacts such as UNION SELECT, --, or stacked statements
• Unexpected child processes or shell activity spawned by firewall services on HA-paired appliances with SPX enabled
• New or modified administrative accounts, configuration changes, or scheduled tasks not initiated by authorized administrators

Detection Strategies

• Inspect web access logs on the firewall management and email protection endpoints for malformed query strings and SQL metacharacters
• Correlate authentication events with database query activity to identify unauthenticated database access
• Monitor HA synchronization channels for unexpected configuration or binary changes between paired devices

Monitoring Recommendations

• Forward Sophos Firewall logs to a centralized SIEM or data lake for retention and behavioral analysis
• Alert on outbound connections originating from the firewall management plane to unfamiliar destinations
• Baseline normal SPX processing volumes and flag deviations that may indicate exploitation attempts

How to Mitigate CVE-2024-12727

Immediate Actions Required

• Upgrade Sophos Firewall to version 21.0 MR1 (21.0.1) or later as published in the vendor advisory
• Restrict management and email protection interface exposure to trusted networks only
• Review HA pairs running SPX for signs of compromise and rotate credentials, certificates, and API tokens stored on the device
• Audit administrator accounts and recent configuration changes for unauthorized modifications

Patch Information

Sophos has released fixed firmware in version 21.0 MR1 (21.0.1). Administrators should apply the update via the Sophos Firewall management console or the standard firmware upgrade procedure. Full remediation details are available in the Sophos Security Advisory.

Workarounds

• Disable Secure PDF eXchange (SPX) on firewalls running in High Availability mode if the feature is not required, which removes the RCE escalation path
• Limit network reachability of the email protection feature to trusted management networks using ACLs or upstream filtering
• Enforce strict change control and monitor configuration drift on HA pairs until patching is completed

# Configuration example: verify installed firmware version on Sophos Firewall
# From the CLI advanced shell, confirm version is 21.0.1 or later
system diagnostics show version-info

# Restrict management access to trusted networks via Local Service ACL
# (perform via WebAdmin: Administration > Device Access)
# Allow only defined admin subnets to reach HTTPS, SSH, and email protection services