Sophos this week introduced the rollout of patches for 5 vulnerabilities in Sophos Firewall that might result in distant code execution (RCE).
The primary problem, tracked as CVE-2025-6704 (CVSS rating of 9.8), is a essential arbitrary file writing flaw within the Safe PDF eXchange (SPX) characteristic of the equipment that might enable distant, unauthenticated attackers to execute arbitrary code.
In accordance with Sophos’s advisory, the bug impacts solely a fraction of firewall deployments, as it might probably solely be triggered if a particular configuration of SPX is enabled and if the firewall is working in Excessive Availability (HA) mode.
The second defect, tracked as CVE-2025-7624 (CVSS rating of 9.8), is an SQL injection problem within the legacy SMTP proxy of the equipment.
Additionally resulting in RCE, the vulnerability solely happens “if a quarantining coverage is energetic for E-mail and SFOS was upgraded from a model older than 21.0 GA”. Thus, it impacts lower than 1% of gadgets, Sophos says.
The corporate additionally resolved a high-severity command injection bug within the WebAdmin part of the firewall that might enable distant, unauthenticated attackers to execute arbitrary code on Excessive Availability (HA) auxiliary gadgets.
Tracked as CVE-2025-7382 (CVSS rating of 8.8), the flaw can solely be triggered if OTP authentication for the admin consumer is enabled.
Over the previous month, Sophos launched hotfixes to deal with these points in Firewall variations 19.0 MR2 (19.0.2.472), 20.0 MR2 (20.0.2.378), 20.0 MR3 (20.0.3.427), 21.0 GA (21.0.0.169), 21.0 MR1 (21.0.1.237), 21.0 MR1-1 (21.0.1.272), 21.0 MR1-2 (21.0.1.277), and 21.5 GA (21.5.0.171).Commercial. Scroll to proceed studying.
The patches had been additionally included in model 21.0 MR2 of the equipment.
The final two bugs described in Sophos’ advisory, CVE-2024-13974 and CVE-2024-13973, had been found within the equipment’s Up2Date and WebAdmin elements. Their exploitation requires that the attackers management the firewall’s DNS setting and that they’re logged in as directors, respectively.
Patches for these safety defects had been first included in Sophos Firewall model 21.0 MR1.
Prospects working older variations of the firewall are required to improve to obtain these patches, the corporate says. Sophos notes that it has not noticed these flaws being exploited within the wild.
Associated: Sophos Patches Essential Firewall Vulnerabilities
Associated: Oracle Patches 200 Vulnerabilities With July 2025 CPU
Associated: ICS Patch Tuesday: Vulnerabilities Addressed by Siemens, Schneider, Phoenix Contact
Associated: Unpatched Ruckus Vulnerabilities Enable Wi-fi Atmosphere Hacking
