cbcvebase.
CVE-2024-12727
published 2024-12-19

CVE-2024-12727: A pre-auth SQL injection vulnerability in the email protection feature of Sophos Firewall versions older than 21.0 MR1 (21.0.1) allows access to the reporting…

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.41%
69.3th percentile
A pre-auth SQL injection vulnerability in the email protection feature of Sophos Firewall versions older than 21.0 MR1 (21.0.1) allows access to the reporting database and can lead to remote code execution if a specific configuration of Secure PDF eXchange (SPX) is enabled in combination with the firewall running in High Availability (HA) mode.

Affected

2 ranges
VendorProductVersion rangeFixed in
sophosfirewall_firmware< 21.0.121.0.1
sophossophos_firewall< 21.0 MR1 (21.0.1)21.0 MR1 (21.0.1)

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2024-12727 is exploitable only when Secure PDF eXchange (SPX) is enabled AND the firewall is running in High Availability (HA) mode — detections should check for this specific configuration combination
  • The vulnerability is pre-authentication, meaning malicious SQL injection requests targeting the email protection feature will arrive without any prior authenticated session — monitor for unauthenticated requests to email protection endpoints on Sophos Firewall
  • Successful exploitation grants access to the reporting database and can lead to remote code execution — monitor for unexpected outbound connections or process spawning from the Sophos Firewall reporting database service
  • ·Exploitation of CVE-2024-12727 requires a very specific configuration: SPX (Secure PDF eXchange) must be enabled AND the firewall must be running in High Availability (HA) mode — estimated to affect only ~0.05% of deployed devices
  • ·Affected versions are Sophos Firewall 21.0 GA (21.0.0) and older; the permanent fix is included in v21 MR1 (21.0.1) and newer — detections targeting unpatched versions should scope to these version ranges
  • ·Hotfixes for CVE-2024-12727 were released December 17 for versions 21 GA, v20 GA, v20 MR1, v20 MR2, v20 MR3, v19.5 MR3, v19.5 MR4, v19.0 MR2 — devices on these versions that have not received the hotfix remain vulnerable
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.