Sophos has addressed five security vulnerabilities in its Firewall product, ranging from Critical to Medium severity. These issues were responsibly disclosed and hotfixes were automatically applied for supported versions. While no exploitation in the wild has been reported, the vulnerabilities have the potential to enable remote code execution under specific configurations.
Severity Level: Critical
Vulnerability Details
| CVE ID | Description | Severity | Affected % of Devices |
| CVE-2025-6704 | Arbitrary file write via Secure PDF eXchange (SPX) in High Availability (HA) mode allows pre-auth RCE. | Critical | ~0.05% |
| CVE-2025-7624 | SQL injection in legacy SMTP proxy with quarantining enabled, allows unauthenticated RCE in upgraded devices (< v21.0). | Critical | ~0.73% |
| CVE-2025-7382 | Command injection on HA auxiliary devices with OTP admin authentication, allowing pre-auth RCE from adjacent network. | High | ~1% |
| CVE-2024-13974 | Business logic flaw in Up2Date enables attackers to control DNS environment and execute code remotely. | High | Not disclosed |
| CVE-2024-13973 | SQL injection in WebAdmin interface allows admin-level arbitrary code execution post-authentication. | Medium | Not disclosed |
Exploitation Of The Vulnerabilities
- No exploitation in the wild has been observed as of July 24, 2025.
- All vulnerabilities were responsibly disclosed by external researchers and handled under the Sophos Bug Bounty Program.
- Some of the flaws (e.g., CVE-2025-6704 and CVE-2025-7382) could be exploited pre-authentication, significantly increasing their risk if exposed externally.
Affected Products
| CVE IDs | Affected Sophos Firewall Versions |
| CVE-2025-6704, CVE-2025-7624, CVE-2025-7382 | Versions ≤ v21.5 GA (21.5.0) |
| CVE-2024-13974, CVE-2024-13973 | Versions ≤ v21.0 GA (21.0.0) |
Fixed Versions & Hotfix Details
| CVE ID | Fixed In | Hotfix Published |
| CVE-2025-6704 | v21.0 MR2 and newer | June 24 – July 1, 2025 |
| CVE-2025-7624 | v21.0 MR2 and newer | July 15, 2025 |
| CVE-2025-7382 | v21.0 MR2 and newer | June 30 – July 2, 2025 |
| CVE-2024-13974 | v21.0 MR1 and newer | Jan 6–7, 2025 |
| CVE-2024-13973 | v21.0 MR1 and newer | Jan-25 |
Note: Users of older versions of Sophos Firewall are required to upgrade to receive the latest protections, and this fix.
Recommendations
- Upgrade affected Sophos firewalls to latest fixed versions.
- Verify hotfixes are installed: Use the guide at https://support.sophos.com/support/s/article/KBA-000010589?language=en_US to confirm.
- Ensure “Allow automatic installation of hotfixes” is enabled in the firewall configuration.
- Disable SPX feature or HA mode if not strictly required to reduce attack surface related to CVE-2025-6704.
- Avoid using legacy (transparent) SMTP proxy, especially with quarantine policies, unless necessary (CVE-2025-7624).
- Review OTP settings for WebAdmin access, especially in HA environments (CVE-2025-7382).
- Restrict WebAdmin and SSH interfaces to trusted internal IPs only; avoid exposing them publicly.
Source:
- https://www.sophos.com/en-us/security-advisories/sophos-sa-20250721-sfos-rce
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.