CVE-2025-7624 Overview
CVE-2025-7624 is a critical SQL injection vulnerability affecting the legacy (transparent) SMTP proxy component of Sophos Firewall. This vulnerability enables remote code execution on affected systems when specific conditions are met: a quarantining policy must be active for Email, and the Sophos Firewall OS (SFOS) must have been upgraded from a version older than 21.0 GA. The flaw exists in versions older than 21.0 MR2 (21.0.2).
Critical Impact
Unauthenticated remote attackers can exploit this SQL injection vulnerability to achieve full remote code execution on affected Sophos Firewall appliances, potentially compromising the entire network perimeter security.
Affected Products
- Sophos Firewall Firmware versions older than 21.0 MR2 (21.0.2)
- Sophos Firewall hardware appliances running vulnerable firmware
- Systems upgraded from SFOS versions older than 21.0 GA with Email quarantine policies enabled
Discovery Timeline
- 2025-07-21 - CVE-2025-7624 published to NVD
- 2025-11-17 - Last updated in NVD database
Technical Details for CVE-2025-7624
Vulnerability Analysis
This vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), commonly known as SQL Injection. The flaw resides within the legacy transparent SMTP proxy functionality of Sophos Firewall.
The vulnerability requires a specific configuration state to be exploitable: the firewall must have Email quarantine policies active, and the system must have been upgraded from a firmware version predating 21.0 GA. This upgrade path appears to leave residual legacy code or configuration that contains the vulnerable SQL handling logic.
The transparent SMTP proxy inspects email traffic passing through the firewall, and during this processing, user-controllable input is improperly incorporated into SQL queries without adequate sanitization. This allows an attacker to inject malicious SQL commands that can be leveraged to execute arbitrary code on the underlying system.
Root Cause
The root cause is insufficient input validation and sanitization in the legacy SMTP proxy component. When processing SMTP traffic for quarantine operations, the component constructs SQL queries using untrusted data from email content or SMTP protocol fields. The failure to properly parameterize these queries or escape special characters allows attackers to break out of the intended SQL context and inject arbitrary commands.
This vulnerability specifically affects systems that were upgraded rather than freshly installed, suggesting the legacy code path is only present or active in upgrade scenarios where configuration migration from older versions occurs.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending specially crafted SMTP traffic through a vulnerable Sophos Firewall that has transparent SMTP proxy enabled with quarantine policies.
The attack flow involves:
- Identifying a Sophos Firewall with transparent SMTP proxy enabled
- Sending malicious email traffic containing SQL injection payloads in SMTP protocol fields or message content
- The payload is processed by the quarantine functionality, triggering the SQL injection
- Successful injection leads to arbitrary code execution with the privileges of the firewall service
Since no code examples are available from verified sources, administrators should refer to the Sophos Security Advisory SA-20250721 for detailed technical information about the vulnerability mechanism.
Detection Methods for CVE-2025-7624
Indicators of Compromise
- Unusual SQL error messages or exceptions in SMTP proxy logs
- Unexpected database queries or modifications related to email quarantine operations
- Anomalous outbound connections originating from the firewall appliance
- Suspicious processes spawned by SMTP proxy or database services
- Evidence of command execution or shell access through mail-related services
Detection Strategies
- Monitor SMTP traffic for patterns indicative of SQL injection attempts, including single quotes, UNION SELECT statements, and encoded SQL keywords
- Implement network intrusion detection rules for SQL injection payloads in SMTP traffic
- Review Sophos Firewall logs for authentication failures, unexpected administrative actions, or system modifications
- Deploy SentinelOne Singularity to detect post-exploitation behavior and lateral movement attempts from compromised network appliances
Monitoring Recommendations
- Enable verbose logging on Sophos Firewall SMTP proxy components
- Configure alerts for any SQL-related errors in firewall logs
- Monitor for unusual traffic patterns originating from the firewall management interface or internal network segments
- Implement network segmentation monitoring to detect any unauthorized access attempts from the firewall to internal resources
How to Mitigate CVE-2025-7624
Immediate Actions Required
- Upgrade Sophos Firewall to version 21.0 MR2 (21.0.2) or later immediately
- Review and audit Email quarantine policies to determine if the vulnerable configuration exists
- If unable to patch immediately, consider disabling the transparent SMTP proxy or Email quarantine functionality as a temporary measure
- Audit firewall logs for any indicators of previous exploitation attempts
Patch Information
Sophos has released version 21.0 MR2 (21.0.2) to address this vulnerability. Administrators should apply this update as soon as possible. Detailed patching instructions and additional guidance are available in the Sophos Security Advisory SA-20250721.
Organizations should prioritize this patch given the critical severity and network-accessible attack vector without authentication requirements.
Workarounds
- Disable the legacy transparent SMTP proxy if not required for business operations
- Remove or disable Email quarantine policies until patching can be completed
- Implement network-level access controls to limit SMTP traffic sources that can reach the firewall's proxy service
- Consider deploying an additional mail security gateway upstream to filter potentially malicious SMTP traffic before it reaches the Sophos Firewall
# Verify Sophos Firewall firmware version via CLI
system diagnostics show version-info
# Check if Email quarantine policies are active
show email-quarantine status
# After patching, verify the new version
system diagnostics show version-info | grep "Firmware Version"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
