Critical Sophos Firewall Vulnerabilities Let Attackers Execute Remote Code

Sophos has announced that it has released hotfixes for three critical security vulnerabilities in its Sophos Firewall product to prevent potential exploitation. These vulnerabilities could allow attackers to execute remote code on a limited number of systems that are configured in a specific way, as detailed in the Security Advisory.

These vulnerabilities, identified as CVE-2024-12727, CVE-2024-12728, and CVE-2024-12729, pose potential risks to organizations using Sophos Firewall in very specific conditions.

CVE-2024-12727 is a pre-authentication SQL injection vulnerability in the email protection feature of the Sophos Firewall. If exploited, it could grant attackers access to the reporting database and enable remote code execution under specific conditions, such as when the Secure PDF Exchange (SPX) feature is enabled, and the firewall operates in High Availability (HA) mode. Hotfixes were released on December 17, 2024, for various versions, with fixes included in v21 MR1 and newer.

This issue affects approximately 0.05% of devices and was responsibly disclosed by an external security researcher through Sophos’s bug bounty program.

CVE-2024-12728: This vulnerability involves the reuse of a suggested and non-random SSH login passphrase after the HA establishment process, potentially exposing privileged system accounts if SSH is enabled. It impacts about 0.5% of devices and was discovered during Sophos’s internal security testing. Hotfixes were published on November 26 and 27, 2024, with fixes included in v20 MR3, v21 MR1, and newer.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

CVE-2024-12729: A post-authentication code injection vulnerability in the User Portal allows authenticated users to execute arbitrary code. An external researcher also responsibly disclosed this. Hotfixes were released on December 4, 5, and 10, 2024, with fixes included in v21 MR1 and newer.

Sophos has released hotfixes for these vulnerabilities, which are automatically applied to devices with the “Allow automatic installation of hotfixes” feature enabled. For those not using this feature, manual updates are necessary:

For organizations unable to update immediately, Sophos provides interim workarounds:

  • For CVE-2024-12728: Restrict SSH access to dedicated HA links and use long, random passphrases for HA configuration.
  • For CVE-2024-12729: Disable WAN access to the User Portal and WebAdmin interfaces, using VPN or Sophos Central for remote management.

Sophos has not observed these vulnerabilities being exploited in the wild; however, the company emphasizes the importance of applying updates and following recommended mitigations to prevent potential future attacks.

Organizations are urged to ensure their Sophos Firewall is up to date to mitigate these critical vulnerabilities effectively.

Guru Baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.