Sophos has released patches for a critical-severity firewall vulnerability that could lead to remote code execution.
December 23, 2024 By Ionut Arghire
Sophos has announced patches for a critical-severity vulnerability in its firewall products that could allow remote attackers to execute arbitrary code without authentication.
Tracked as CVE-2024-12727 (CVSS score of 9.8), the issue is described as an SQL injection bug affecting the email protection feature. The flaw enables attackers to access the reporting database of the firewalls.
The bug can be exploited for remote code execution (RCE) “if a specific configuration of Secure PDF eXchange (SPX) is enabled in combination with the firewall running in High Availability (HA) mode”.
According to Sophos’ advisory, the flaw affects firewall product versions prior to 21.0 MR1 (21.0.1) and affects only 0.05% of devices.
Last week, the company announced hotfixes for versions 21 GA, 20 GA, 20 MR1, 20 MR2, 20 MR3, 19.5 MR3, 19.5 MR4, and 19.0 MR2 of its firewall products. The fixes were included in Sophos Firewall version 21.0 MR1 as well.
The updated iteration also addresses CVE-2024-12728 (CVSS score of 9.8), a weak credentials defect for which hotfixes were released in late November.