CVE-2024-12727

Name of the Vulnerable Software and Affected Versions Sophos Firewall versions prior to 21.0 MR1 (21.0.1)

Description A pre-auth SQL injection vulnerability in the email protection feature of Sophos Firewall allows access to the reporting database and can lead to remote code execution if a specific configuration of Secure PDF eXchange (SPX) is enabled in combination with the firewall running in High Availability (HA) mode. The estimated number of potentially affected devices worldwide is approximately 0.05% of devices.

Recommendations For Sophos Firewall versions prior to 21.0 MR1 (21.0.1), update to version 21.0 MR1 (21.0.1) or later to resolve the issue. As a temporary workaround, consider disabling the Secure PDF eXchange (SPX) configuration and High Availability (HA) mode until a patch is available. Restrict access to the email protection feature to minimize the risk of exploitation. Avoid using the vulnerable configuration in the affected API endpoints until the issue is resolved.