Skip to main content
CVE Vulnerability Database

CVE-2025-7624: Sophos Firewall Firmware SQLi Vulnerability

CVE-2025-7624 is an SQL injection flaw in Sophos Firewall's legacy SMTP proxy that can lead to remote code execution. This post covers the technical details, affected versions, impact assessment, and mitigation strategies.

Updated:

CVE-2025-7624 Overview

CVE-2025-7624 is a SQL injection vulnerability [CWE-89] in the legacy transparent SMTP proxy of Sophos Firewall. The flaw affects Sophos Firewall versions older than 21.0 MR2 (21.0.2) where a quarantining policy is active for Email and the appliance was upgraded from a version older than 21.0 GA. Successful exploitation can lead to remote code execution on the firewall appliance. The vulnerability is exploitable over the network without authentication or user interaction.

Critical Impact

Unauthenticated remote attackers can achieve remote code execution on affected Sophos Firewall appliances through the legacy SMTP proxy when email quarantining is active.

Affected Products

  • Sophos Firewall Firmware versions older than 21.0 MR2 (21.0.2)
  • Sophos Firewall appliances with legacy (transparent) SMTP proxy enabled
  • Sophos Firewall instances upgraded from versions older than 21.0 GA with an active email quarantining policy

Discovery Timeline

  • 2025-07-21 - CVE-2025-7624 published to NVD with Sophos security advisory
  • 2025-11-17 - Last updated in NVD database

Technical Details for CVE-2025-7624

Vulnerability Analysis

The vulnerability resides in the legacy transparent SMTP proxy component of Sophos Firewall Operating System (SFOS). The proxy fails to properly sanitize input before incorporating it into SQL queries, classifying this issue as [CWE-89] SQL Injection. Attackers who can reach the SMTP proxy can inject arbitrary SQL statements that the backend database executes with elevated privileges.

Because the SMTP proxy interacts with internal database components that influence firewall command execution paths, the SQL injection chain escalates into remote code execution on the appliance. The preconditions are specific: the appliance must have an active email quarantining policy, and SFOS must have been upgraded from a release predating 21.0 GA. Fresh installations of newer SFOS versions are not affected.

Root Cause

The root cause is improper neutralization of special elements used in SQL queries within the legacy SMTP proxy code path. Carried-over database schema artifacts from pre-21.0 GA upgrades remain reachable in the upgraded firmware, allowing untrusted SMTP input to flow into dynamic SQL statements without parameterization.

Attack Vector

An unauthenticated remote attacker delivers a crafted SMTP message or session payload to a vulnerable Sophos Firewall acting as a transparent SMTP proxy. Malicious content embedded in SMTP fields is processed by the proxy's quarantining logic, which forwards attacker-controlled strings into vulnerable SQL queries. The injected SQL is then leveraged to invoke command execution primitives, granting the attacker code execution on the firewall.

No verified public proof-of-concept exploit code is available. Refer to the Sophos Security Advisory for vendor-confirmed technical details.

Detection Methods for CVE-2025-7624

Indicators of Compromise

  • Unexpected SMTP traffic patterns directed at the firewall's transparent SMTP proxy containing SQL metacharacters such as single quotes, semicolons, or UNION SELECT fragments in MAIL FROM, RCPT TO, or message headers.
  • Anomalous child processes spawned by SFOS SMTP proxy or quarantining services on the firewall.
  • Unscheduled configuration changes, new administrative accounts, or modified firewall rules on appliances that were upgraded from pre-21.0 GA releases.

Detection Strategies

  • Inspect SFOS audit logs and SMTP proxy logs for malformed or oversized SMTP commands and headers correlated with quarantining actions.
  • Monitor north-south traffic to TCP/25 on firewall management and data interfaces for SMTP sessions originating from untrusted networks.
  • Correlate firewall outbound connections to unknown hosts immediately following inbound SMTP activity, which may indicate post-exploitation command-and-control.

Monitoring Recommendations

  • Forward SFOS logs to a centralized SIEM or data lake and alert on SMTP proxy errors, database query failures, and process anomalies on the firewall.
  • Baseline normal SMTP traffic volume and content profiles to surface deviations consistent with injection attempts.
  • Track SFOS firmware version inventory and flag any appliance still running a release older than 21.0 MR2.

How to Mitigate CVE-2025-7624

Immediate Actions Required

  • Upgrade Sophos Firewall to version 21.0 MR2 (21.0.2) or later as directed in the Sophos Security Advisory.
  • Verify whether the appliance was upgraded from a version older than 21.0 GA and whether an email quarantining policy is active, since these conditions define exposure.
  • Restrict SMTP proxy exposure to trusted networks until patching is complete.

Patch Information

Sophos has released fixed firmware in SFOS 21.0 MR2 (21.0.2) and later. Customers with auto-update enabled receive the hotfix automatically. Confirm patch application through the SFOS administrative console and review the vendor advisory for hotfix identifiers and applicability to each supported SFOS branch.

Workarounds

  • Disable the legacy (transparent) SMTP proxy if email scanning is not required, or migrate to the modern MTA-based SMTP mode where supported.
  • Remove or deactivate email quarantining policies on appliances that cannot be patched immediately, since an active quarantining policy is required for exploitation.
  • Block inbound TCP/25 traffic from untrusted sources at upstream network controls to reduce the attack surface of the SMTP proxy.
bash
# Verify SFOS firmware version from the admin CLI
system diagnostic show version

# Confirm SMTP proxy mode and quarantining policy status in the SFOS console
# Navigate to: Email > General settings > SMTP deployment mode
# Navigate to: Email > Policies > review active quarantining policies

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.