Five Vulnerabilities in Sophos Firewall Disclosed and Patched – Urgent Upgrades Recommended

Published Date: July 24, 2025

Category: ShadowOpsIntel

Sophos has addressed five security vulnerabilities in its Firewall product, ranging from Critical to Medium severity. These issues were responsibly disclosed and hotfixes were automatically applied for supported versions. While no exploitation in the wild has been reported, the vulnerabilities have the potential to enable remote code execution under specific configurations.

Severity Level: Critical

Vulnerability Details

CVE ID	Description	Severity	Affected % of Devices
CVE-2025-6704	Arbitrary file write via Secure PDF eXchange (SPX) in High Availability (HA) mode allows pre-auth RCE.	Critical	~0.05%
CVE-2025-7624	SQL injection in legacy SMTP proxy with quarantining enabled, allows unauthenticated RCE in upgraded devices (< v21.0).	Critical	~0.73%
CVE-2025-7382	Command injection on HA auxiliary devices with OTP admin authentication, allowing pre-auth RCE from adjacent network.	High	~1%
CVE-2024-13974	Business logic flaw in Up2Date enables attackers to control DNS environment and execute code remotely.	High	Not disclosed
CVE-2024-13973	SQL injection in WebAdmin interface allows admin-level arbitrary code execution post-authentication.	Medium	Not disclosed

Exploitation Of The Vulnerabilities

No exploitation in the wild has been observed as of July 24, 2025.
All vulnerabilities were responsibly disclosed by external researchers and handled under the Sophos Bug Bounty Program.
Some of the flaws (e.g., CVE-2025-6704 and CVE-2025-7382) could be exploited pre-authentication, significantly increasing their risk if exposed externally.

Affected Products

CVE IDs	Affected Sophos Firewall Versions
CVE-2025-6704, CVE-2025-7624, CVE-2025-7382	Versions ≤ v21.5 GA (21.5.0)
CVE-2024-13974, CVE-2024-13973	Versions ≤ v21.0 GA (21.0.0)

Fixed Versions & Hotfix Details

CVE ID	Fixed In	Hotfix Published
CVE-2025-6704	v21.0 MR2 and newer	June 24 – July 1, 2025
CVE-2025-7624	v21.0 MR2 and newer	July 15, 2025
CVE-2025-7382	v21.0 MR2 and newer	June 30 – July 2, 2025
CVE-2024-13974	v21.0 MR1 and newer	Jan 6–7, 2025
CVE-2024-13973	v21.0 MR1 and newer	Jan-25

Note: Users of older versions of Sophos Firewall are required to upgrade to receive the latest protections, and this fix.

Recommendations

Upgrade affected Sophos firewalls to latest fixed versions.
Verify hotfixes are installed: Use the guide at https://support.sophos.com/support/s/article/KBA-000010589?language=en_US to confirm.
Ensure “Allow automatic installation of hotfixes” is enabled in the firewall configuration.
Disable SPX feature or HA mode if not strictly required to reduce attack surface related to CVE-2025-6704.
Avoid using legacy (transparent) SMTP proxy, especially with quarantine policies, unless necessary (CVE-2025-7624).
Review OTP settings for WebAdmin access, especially in HA environments (CVE-2025-7382).
Restrict WebAdmin and SSH interfaces to trusted internal IPs only; avoid exposing them publicly.

Source:

https://www.sophos.com/en-us/security-advisories/sophos-sa-20250721-sfos-rce

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.