Date of Disclosure (source): December 19, 2024
CVE-2024-12727, CVE-2024-12728, and CVE-2024-12729 are vulnerabilities affecting Sophos Firewalls. At the time of writing, we did not observe public exploits or evidence of active exploitation for any of these vulnerabilities:
- CVE-2024-12727 is a pre-auth SQL injection vulnerability in the email protection feature of Sophos Firewall versions older than 21.0 MR1 (21.0.1). It has been assigned a CVSS score of 9.8 (critical) by Sophos Limited.
- CVE-2024-12728 is a weak credentials vulnerability that potentially allows privileged system access via SSH to Sophos Firewall older than version 20.0 MR3 (20.0.3). It has been assigned a CVSS score of 9.8 (critical) by Sophos Limited.
- CVE-2024-12729 is a post-auth code injection vulnerability in the User Portal that allows authenticated users to execute code remotely in Sophos Firewall older than version 21.0 MR1 (21.0.1). It has been assigned a CVSS score of 8.8 (high) by Sophos Limited.
Sophos has not observed any active exploitation of these vulnerabilities at the time of releasing their security advisory. Their advisory includes remediation steps for each of the vulnerabilities and workarounds for CVE-2024-12728 and CVE-2024-12729.
| Field | Details | |||||
|---|---|---|---|---|---|---|
| CVE-ID | CVE-2024-12727 – CVSS 9.8 (critical) – assigned by Sophos Limited | CVE-2024-12728 – CVSS 9.8 (critical) – assigned by Sophos Limited | CVE-2024-12729 – CVSS 8.8 (high) – assigned by Sophos Limited | |||
| Vulnerability Description | A pre-auth SQL injection vulnerability in the email protection feature of Sophos Firewall versions older than 21.0 MR1 (21.0.1) allows access to the reporting database and can lead to remote code execution if a specific configuration of Secure PDF eXchange (SPX) is enabled in combination with the firewall running in High Availability (HA) mode. | A weak credentials vulnerability potentially allows privileged system access via SSH to Sophos Firewall older than version 20.0 MR3 (20.0.3). | A post-auth code injection vulnerability in the User Portal allows authenticated users to execute code remotely in Sophos Firewall older than version 21.0 MR1 (21.0.1). | |||
| Date of Disclosure | December 19, 2024 | |||||
| Affected Assets | Email protection feature of Sophos Firewall | SSH module of Sophos Firewall | User Portal of Sophos Firewall | |||
| Vulnerable Software Versions | < 21.0 MR1 (21.0.1) | < 20.0 MR3 (20.0.3) | < 21.0 MR1 (21.0.1) | |||
| PoC Available? | No PoC available at the time of writing. | |||||
| Exploitation Status | No evidence of active exploitation at the time of writing. | |||||
| Patch Status | Sophos has provided remediation guidance in their security advisory published on December 19, 2024. | |||||
Censys Perspective
At the time of writing, Censys observed 57,247 exposed Sophos Firewalls. A large proportion of these (22%) are geolocated in India. Note that not all instances observed are necessarily vulnerable as we do not always have specific versions available.
Map of Exposed Sophos Firewall Instances:
services.http.response.body:"uiLangToHTMLLangAttributeValueMapping" or services.software: (vendor = "Sophos" and product="XG Firewall")
host.services.http.response.body:"uiLangToHTMLLangAttributeValueMapping" or host.services.software: (vendor = "Sophos" and product="XG Firewall")