CVE-2025-7624 in Sophos
Summary
by MITRE • 07/21/2025
An SQL injection vulnerability in the legacy (transparent) SMTP proxy of Sophos Firewall versions older than 21.0 MR2 (21.0.2) can lead to remote code execution, if a quarantining policy is active for Email and SFOS was upgraded from a version older than 21.0 GA.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 11/18/2025
The vulnerability CVE-2025-7624 represents a critical SQL injection flaw within the legacy transparent SMTP proxy component of Sophos Firewall software. This issue affects versions prior to 21.0 MR2, specifically those older than 21.0 GA, creating a significant security risk that can be exploited remotely. The vulnerability manifests in the way the system processes email-related data within its legacy proxy implementation, which operates transparently to handle email traffic without requiring explicit configuration changes from administrators.
The technical exploitation of this vulnerability occurs through carefully crafted input that bypasses normal SQL query validation mechanisms within the email quarantine processing module. When the system encounters maliciously formatted email data, it fails to properly sanitize the input before incorporating it into backend database queries. This failure allows attackers to inject arbitrary SQL commands that can manipulate the underlying database structure and potentially escalate privileges. The vulnerability is particularly concerning because it leverages the legacy SMTP proxy functionality that operates transparently, making detection more difficult and exploitation more likely in environments where email quarantine policies are actively configured.
The operational impact of this vulnerability extends beyond simple data corruption or unauthorized access. When combined with active quarantining policies for email traffic, the vulnerability can enable full remote code execution on the affected system. This represents a severe compromise of the firewall's integrity and can lead to complete system takeover. The specific condition requiring a system upgrade from an older version creates a targeted attack vector where organizations that have not fully migrated to the newer 21.0 MR2 release remain at risk, particularly in environments where legacy configurations persist.
The security implications of this vulnerability align with CWE-89, which specifically addresses SQL injection flaws, and can be mapped to ATT&CK technique T1190 for exploitation of remote services and T1078 for valid accounts usage. Organizations running affected Sophos Firewall versions should prioritize immediate remediation through the installation of the 21.0 MR2 update or later. Additional mitigations include disabling the legacy SMTP proxy functionality where possible, implementing network segmentation to limit exposure, and monitoring for unusual database access patterns that might indicate exploitation attempts. The vulnerability underscores the importance of maintaining up-to-date security infrastructure and the risks associated with legacy system components that may contain unpatched security flaws.