CVE-2025-7624 Overview
CVE-2025-7624 is a SQL injection vulnerability [CWE-89] in the legacy transparent SMTP proxy of Sophos Firewall. The flaw affects Sophos Firewall versions older than 21.0 MR2 (21.0.2) where a quarantining policy is active for Email and the appliance was upgraded from a version older than 21.0 GA. Successful exploitation can lead to remote code execution on the firewall appliance. The vulnerability is exploitable over the network without authentication or user interaction.
Critical Impact
Unauthenticated remote attackers can achieve remote code execution on affected Sophos Firewall appliances through the legacy SMTP proxy when email quarantining is active.
Affected Products
- Sophos Firewall Firmware versions older than 21.0 MR2 (21.0.2)
- Sophos Firewall appliances with legacy (transparent) SMTP proxy enabled
- Sophos Firewall instances upgraded from versions older than 21.0 GA with an active email quarantining policy
Discovery Timeline
- 2025-07-21 - CVE-2025-7624 published to NVD with Sophos security advisory
- 2025-11-17 - Last updated in NVD database
Technical Details for CVE-2025-7624
Vulnerability Analysis
The vulnerability resides in the legacy transparent SMTP proxy component of Sophos Firewall Operating System (SFOS). The proxy fails to properly sanitize input before incorporating it into SQL queries, classifying this issue as [CWE-89] SQL Injection. Attackers who can reach the SMTP proxy can inject arbitrary SQL statements that the backend database executes with elevated privileges.
Because the SMTP proxy interacts with internal database components that influence firewall command execution paths, the SQL injection chain escalates into remote code execution on the appliance. The preconditions are specific: the appliance must have an active email quarantining policy, and SFOS must have been upgraded from a release predating 21.0 GA. Fresh installations of newer SFOS versions are not affected.
Root Cause
The root cause is improper neutralization of special elements used in SQL queries within the legacy SMTP proxy code path. Carried-over database schema artifacts from pre-21.0 GA upgrades remain reachable in the upgraded firmware, allowing untrusted SMTP input to flow into dynamic SQL statements without parameterization.
Attack Vector
An unauthenticated remote attacker delivers a crafted SMTP message or session payload to a vulnerable Sophos Firewall acting as a transparent SMTP proxy. Malicious content embedded in SMTP fields is processed by the proxy's quarantining logic, which forwards attacker-controlled strings into vulnerable SQL queries. The injected SQL is then leveraged to invoke command execution primitives, granting the attacker code execution on the firewall.
No verified public proof-of-concept exploit code is available. Refer to the Sophos Security Advisory for vendor-confirmed technical details.
Detection Methods for CVE-2025-7624
Indicators of Compromise
- Unexpected SMTP traffic patterns directed at the firewall's transparent SMTP proxy containing SQL metacharacters such as single quotes, semicolons, or UNION SELECT fragments in MAIL FROM, RCPT TO, or message headers.
- Anomalous child processes spawned by SFOS SMTP proxy or quarantining services on the firewall.
- Unscheduled configuration changes, new administrative accounts, or modified firewall rules on appliances that were upgraded from pre-21.0 GA releases.
Detection Strategies
- Inspect SFOS audit logs and SMTP proxy logs for malformed or oversized SMTP commands and headers correlated with quarantining actions.
- Monitor north-south traffic to TCP/25 on firewall management and data interfaces for SMTP sessions originating from untrusted networks.
- Correlate firewall outbound connections to unknown hosts immediately following inbound SMTP activity, which may indicate post-exploitation command-and-control.
Monitoring Recommendations
- Forward SFOS logs to a centralized SIEM or data lake and alert on SMTP proxy errors, database query failures, and process anomalies on the firewall.
- Baseline normal SMTP traffic volume and content profiles to surface deviations consistent with injection attempts.
- Track SFOS firmware version inventory and flag any appliance still running a release older than 21.0 MR2.
How to Mitigate CVE-2025-7624
Immediate Actions Required
- Upgrade Sophos Firewall to version 21.0 MR2 (21.0.2) or later as directed in the Sophos Security Advisory.
- Verify whether the appliance was upgraded from a version older than 21.0 GA and whether an email quarantining policy is active, since these conditions define exposure.
- Restrict SMTP proxy exposure to trusted networks until patching is complete.
Patch Information
Sophos has released fixed firmware in SFOS 21.0 MR2 (21.0.2) and later. Customers with auto-update enabled receive the hotfix automatically. Confirm patch application through the SFOS administrative console and review the vendor advisory for hotfix identifiers and applicability to each supported SFOS branch.
Workarounds
- Disable the legacy (transparent) SMTP proxy if email scanning is not required, or migrate to the modern MTA-based SMTP mode where supported.
- Remove or deactivate email quarantining policies on appliances that cannot be patched immediately, since an active quarantining policy is required for exploitation.
- Block inbound TCP/25 traffic from untrusted sources at upstream network controls to reduce the attack surface of the SMTP proxy.
# Verify SFOS firmware version from the admin CLI
system diagnostic show version
# Confirm SMTP proxy mode and quarantining policy status in the SFOS console
# Navigate to: Email > General settings > SMTP deployment mode
# Navigate to: Email > Policies > review active quarantining policies
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

