Sophos Addresses Critical Firewall Security Flaws That Could Allow Remote Code Execution

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity & Streaming Writer

Sophos has released patches addressing several critical vulnerabilities in its firewall products, protecting users from potential remote code execution (RCE) and other security risks. The measures focus on flaws that could allow attackers to exploit systems without authentication.

The advisory addresses CVE-2024-12727 – SQL Injection (CVSS 9.8), CVE-2024-12728 – Weak Credentials on SSH (CVSS 9.8), and CVE-2024-12729 – Code Injection in User Portal (CVSS 8.8).

CVE-2024-12727 is a severe SQL injection vulnerability identified in Sophos firewalls' email protection feature. The flaw enables attackers to access the firewall's reporting database and potentially execute arbitrary code if specific settings are enabled. 

Sophos warns that the issue could lead to RCE if a specific configuration of Secure PDF eXchange (SPX) is enabled and the firewall operates in High Availability (HA) mode. This vulnerability affects Sophos firewall versions prior to 21.0 MR1 (21.0.1) and impacts approximately 0.05% of devices, according to the company’s advisory.

CVE-2024-12728 is a weak credential issue affecting SSH login passphrases used for HA cluster initialization. The vulnerability resulted in non-random passphrases remaining active after the HA setup process, exposing a privileged system account if SSH was enabled. This flaw affects roughly 0.5% of devices.

To mitigate CVE-2024-12728, Sophos advises users to restrict SSH access to only the HA-dedicated link, ensuring it is physically separate, reconfigure HA with a sufficiently long and random custom passphrase, and disable WAN access via SSH for additional security.

CVE-2024-12729 involves a code injection issue in the User Portal that could allow authenticated attackers to execute arbitrary code remotely. Sophos recommends disabling WAN access to the User Portal and Webadmin to prevent exploitation.

Sophos has issued hotfixes for multiple firewall product versions, including 21 GA, 20 GA, 20 MR1, 20 MR2, 20 MR3, 19.5 MR3, 19.5 MR4, and 19.0 MR2.

The fixes are consolidated into Sophos Firewall version 21.0 MR1. To protect against potential exploits, users are urged to ensure their software is up-to-date and to follow best practices, such as disabling WAN access and using strong credentials.

Sophos has stated that, to date, there is no evidence of these vulnerabilities being exploited in the wild.
Notably, the U.S. government recently charged and sanctioned a Chinese national alleged to be part of an advanced persistent threat (APT) group involved in attacks on Sophos firewalls.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: