CVE-2025-7624 is a critical SQL injection vulnerability affecting Sophos Firewall, specifically targeting the legacy (transparent) SMTP proxy component in versions prior to 21.0 MR2 (21.0.2). The vulnerability arises due to improper neutralization of special elements used in SQL commands (CWE-89), allowing an attacker to inject malicious SQL code. This flaw can be exploited remotely without authentication or user interaction, provided that a quarantining policy for email is active and the firewall was upgraded from a version older than 21.0 GA. Successful exploitation can lead to remote code execution (RCE), granting attackers the ability to execute arbitrary commands on the firewall system. The vulnerability has a CVSS 3.1 base score of 9.8, indicating critical severity with high impact on confidentiality, integrity, and availability. The attack vector is network-based (AV:N), requires no privileges (PR:N), and no user interaction (UI:N), making it highly exploitable. Although no known exploits are currently reported in the wild, the potential for damage is significant due to the firewall's role as a network security gateway and the ability to execute code remotely. The lack of patch links suggests that remediation may require upgrading to version 21.0 MR2 or later, or applying vendor-provided fixes once available. Organizations using affected Sophos Firewall versions with email quarantining policies should consider this vulnerability a top priority for mitigation.

For European organizations, the impact of CVE-2025-7624 is substantial. Sophos Firewall is widely deployed across enterprises, service providers, and government networks in Europe as a critical security perimeter device. Exploitation could lead to full compromise of the firewall, allowing attackers to bypass security controls, intercept or manipulate network traffic, and potentially pivot to internal networks. This threatens the confidentiality of sensitive data, the integrity of network operations, and the availability of critical services. Given the firewall’s role in email security (quarantining policies), attackers might also manipulate or exfiltrate email data, increasing risks of data breaches and compliance violations under GDPR. The critical nature of this vulnerability means that affected organizations could face operational disruption, data loss, and regulatory penalties if exploited. The fact that no authentication or user interaction is required heightens the risk of automated or widespread attacks, particularly targeting organizations with legacy firewall versions that have not been updated.

1. Immediate upgrade to Sophos Firewall version 21.0 MR2 (21.0.2) or later, which addresses this vulnerability. 2. If immediate upgrade is not feasible, temporarily disable the legacy (transparent) SMTP proxy or the email quarantining policy to reduce the attack surface. 3. Implement strict network segmentation and firewall rules to limit external access to the management and SMTP proxy interfaces. 4. Monitor firewall logs and network traffic for unusual SQL queries or suspicious activity indicative of exploitation attempts. 5. Employ intrusion detection/prevention systems (IDS/IPS) with updated signatures to detect attempts to exploit SQL injection on Sophos Firewall. 6. Conduct regular vulnerability assessments and penetration tests focusing on firewall components. 7. Maintain an incident response plan tailored to firewall compromise scenarios to quickly isolate and remediate affected systems.