Sophos has disclosed three critical security vulnerabilities in its Sophos Firewall product that could enable attackers to execute remote code on affected systems. Identified as CVE-2024-12727, CVE-2024-12728, and CVE-2024-12729, these flaws pose significant risks to organizations relying on Sophos Firewall for network protection.
CVE-2024-12727:
A pre-authentication SQL injection vulnerability in the email protection feature of the Sophos Firewall could allow attackers to access the reporting database and execute remote code. This issue is especially critical when the Secure PDF Exchange (SPX) feature is enabled, and the firewall operates in High Availability (HA) mode. Affecting only 0.05% of devices, it was responsibly disclosed via Sophos’s bug bounty program.
CVE-2024-12728:
This vulnerability stems from reusing a non-random SSH login passphrase after the HA setup process. If SSH is enabled, attackers could exploit privileged system accounts. Approximately 0.5% of devices are impacted, and Sophos discovered this during internal security testing.
CVE-2024-12729:
A post-authentication code injection vulnerability in the User Portal enables authenticated users to execute arbitrary code. An external researcher disclosed this issue responsibly.
Sophos has issued automatic hotfixes for devices with the "Allow automatic installation of hotfixes" feature enabled. Manual updates are required for other setups. Fixes are included in Sophos Firewall v21 MR1 and newer.
For organizations unable to apply updates immediately, Sophos recommends:
Although no exploits have been detected in the wild, Sophos stresses the urgency of applying updates and following mitigations to safeguard against potential attacks.
Organizations should promptly ensure their Sophos Firewall is updated to protect against these vulnerabilities.
