A critical vulnerability has been identified in certain versions of Sophos Firewall. This flaw, an SQL injection in the legacy email proxy, can be exploited by a remote, unauthenticated attacker by sending a malicious email, potentially allowing them to gain full control of the firewall appliance and compromise the entire network's security.

The vulnerability is a pre-authentication SQL injection flaw within the legacy (transparent) SMTP proxy component of the Sophos Firewall. An attacker can exploit this by sending a specially crafted email to the firewall. If a policy is active that quarantines emails, the firewall processes the malicious email, allowing the embedded SQL commands to be executed on the underlying database, which can be escalated to achieve remote code execution (RCE) on the firewall operating system.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could lead to a complete compromise of the network perimeter security device. An attacker with RCE on the firewall could bypass all security policies, monitor, intercept, or reroute all network traffic, gain a foothold to attack internal network resources, exfiltrate sensitive data, or deploy ransomware. The business impact includes potential for significant data breaches, operational disruption, and loss of trust, representing a severe risk to the organization's security posture.

Immediate Action: Immediately upgrade all affected Sophos Firewall instances to version 21.0 MR2 (21.0.2) or a later version as recommended by the vendor. After patching, review firewall system and access logs for any signs of compromise that may have occurred prior to the update.

Proactive Monitoring: Security teams should actively monitor for exploitation attempts. This includes scrutinizing SMTP traffic logs for unusual patterns or malformed requests, specifically those related to the email quarantine feature. Implement SIEM rules to detect and alert on suspicious SQL syntax or error messages originating from the firewall's SMTP proxy. Monitor the firewall for any unexpected outbound connections or unauthorized processes.

Compensating Controls: If patching cannot be performed immediately, organizations should disable the legacy (transparent) SMTP proxy feature if it is not critical for business operations. If the feature must remain active, consider placing an upstream email security gateway or a Web Application Firewall (WAF) with SMTP inspection capabilities to filter for SQL injection attacks before they reach the vulnerable firewall.

Public Exploit Available: false

Due to the critical nature of this vulnerability, we strongly recommend that organizations prioritize the immediate patching of all affected Sophos Firewall appliances. The risk of a full network compromise from an unauthenticated, remote attacker is exceptionally high. This vulnerability should be addressed with the utmost urgency, following the principle of treating critical edge-device vulnerabilities as an active threat, regardless of their current KEV status.