A number of safety vulnerabilities affecting Sophos firewall merchandise, with two enabling pre-authentication distant code execution that might enable attackers to compromise methods with out legitimate credentials.
The vulnerabilities, tracked as CVE-2025-6704, CVE-2025-7624, CVE-2025-7382, CVE-2024-13974, and CVE-2024-13973, affect varied configurations of Sophos Firewall variations 21.5 GA and older, with computerized hotfixes already deployed to handle probably the most extreme flaws.
Key Takeaways1. 5 critical flaws in Sophos Firewall, together with pre-auth distant code execution, have been patched.2. Automated hotfixes defend most customers; no guide motion is required.3. No exploitation detected, however customers ought to verify their firewalls are up to date.
Crucial Pre-Authentication Vulnerabilities
Probably the most extreme vulnerability, CVE-2025-6704, represents an arbitrary file writing flaw within the Safe PDF eXchange (SPX) function that permits pre-authentication distant code execution.
This vital vulnerability particularly impacts units operating in Excessive Availability (HA) mode with particular SPX configurations enabled, impacting roughly 0.05% of deployed units.
Safety researchers found this flaw via Sophos’s bug bounty program and responsibly disclosed it to the corporate.
Equally regarding is CVE-2025-7624, a SQL injection vulnerability within the legacy clear SMTP proxy that may result in distant code execution.
This vital flaw impacts methods with energetic quarantining insurance policies for e-mail and impacts units upgraded from variations older than SFOS 21.0 GA, doubtlessly affecting as much as 0.73% of deployed firewalls.
The vulnerability demonstrates how legacy elements can introduce important safety dangers in trendy community infrastructure.
Excessive and Medium Severity Flaws
Past the vital pre-authentication vulnerabilities, CVE-2025-7382 presents a command injection vulnerability in WebAdmin that permits adjoining attackers to attain pre-authentication code execution on HA auxiliary units.
This high-severity flaw requires OTP authentication for admin customers to be enabled and impacts roughly 1% of units, highlighting dangers in high-availability configurations.
The CVE-2024-13974 vulnerability exploits enterprise logic flaws within the Up2Date element, permitting attackers to manage the firewall’s DNS surroundings and obtain distant code execution. This high-severity situation was found and disclosed by the UK’s Nationwide Cyber Safety Centre (NCSC).
Moreover, CVE-2024-13973 represents a post-authentication SQL injection vulnerability in WebAdmin that might allow directors to execute arbitrary code.
CVE IDTitle / DescriptionCVSS 3.1 ScoreSeverityCVE-2025-6704Arbitrary file writing in Safe PDF eXchange (SPX), pre-auth distant code execution possible9.8CriticalCVE-2025-7624SQL injection in legacy clear SMTP proxy, pre-auth distant code execution possible9.8CriticalCVE-2025-7382Command injection in WebAdmin, adjoining pre-auth code execution on HA auxiliary devices8.8HighCVE-2024-13974Business logic flaw in Up2Date, distant code execution by way of DNS control8.2HighCVE-2024-13973Post-auth SQL injection in WebAdmin, arbitrary code execution for administrators6.6Medium
Mitigations
Sophos has carried out a multi-phase hotfix deployment technique, with vital vulnerabilities receiving precedence therapy.
Organizations with computerized hotfix set up enabled obtain these patches robotically, representing the default configuration.
Sophos has confirmed no proof of energetic exploitation for any of those vulnerabilities.
Customers operating supported variations together with 19.0 MR2, 20.0 MR2/MR3, and 21.0 GA variants ought to confirm hotfix utility via Sophos assist documentation to make sure complete safety towards these vital safety flaws.
Increase detection, cut back alert fatigue, speed up response; all with an interactive sandbox constructed for safety groups -> Strive ANY.RUN Now
