Sophos has recently addressed multiple critical vulnerabilities in its firewall products, notably two that allow pre-authentication remote code execution (RCE). These flaws could enable attackers to compromise systems without valid credentials, posing significant security risks.
Overview of the Vulnerabilities
The identified vulnerabilities are:
– CVE-2025-6704: An arbitrary file writing flaw in the Secure PDF eXchange (SPX) feature, enabling pre-authentication RCE.
– CVE-2025-7624: A SQL injection vulnerability in the legacy transparent SMTP proxy, leading to pre-authentication RCE.
– CVE-2025-7382: A command injection vulnerability in WebAdmin, allowing adjacent attackers to achieve pre-authentication code execution on High Availability (HA) auxiliary devices.
– CVE-2024-13974: A business logic flaw in the Up2Date component, permitting attackers to control the firewall’s DNS environment and achieve remote code execution.
– CVE-2024-13973: A post-authentication SQL injection vulnerability in WebAdmin, enabling administrators to execute arbitrary code.
Detailed Analysis
CVE-2025-6704: This critical vulnerability involves arbitrary file writing within the SPX feature, leading to pre-authentication RCE. It specifically affects devices operating in HA mode with certain SPX configurations enabled, impacting approximately 0.05% of deployed devices. Security researchers discovered this flaw through Sophos’s bug bounty program and responsibly disclosed it to the company.
CVE-2025-7624: This SQL injection vulnerability resides in the legacy transparent SMTP proxy and can result in pre-authentication RCE. It affects systems with active email quarantining policies and devices upgraded from versions older than SFOS 21.0 GA, potentially impacting up to 0.73% of deployed firewalls. This highlights the risks associated with legacy components in modern network infrastructures.
CVE-2025-7382: A command injection vulnerability in WebAdmin allows adjacent attackers to execute code pre-authentication on HA auxiliary devices. This high-severity flaw requires One-Time Password (OTP) authentication for admin users to be enabled and affects approximately 1% of devices, underscoring the vulnerabilities in HA configurations.
CVE-2024-13974: This vulnerability exploits business logic flaws in the Up2Date component, enabling attackers to control the firewall’s DNS environment and achieve remote code execution. Discovered and disclosed by the UK’s National Cyber Security Centre (NCSC), this high-severity issue emphasizes the importance of robust update mechanisms.
CVE-2024-13973: A post-authentication SQL injection vulnerability in WebAdmin allows administrators to execute arbitrary code. While rated medium severity, it still poses a risk, particularly if administrative credentials are compromised.
Mitigation Measures
Sophos has implemented a multi-phase hotfix deployment strategy, prioritizing critical vulnerabilities. Organizations with automatic hotfix installation enabled have received these patches automatically, as this is the default configuration. Sophos has confirmed no evidence of active exploitation for any of these vulnerabilities.
Recommendations for Users
Users running supported versions of Sophos Firewall are advised to:
1. Verify Hotfix Installation: Ensure that automatic hotfix installation is enabled and that the latest patches have been applied.
2. Review Configurations: Assess firewall configurations, especially those related to SPX, HA mode, and email quarantining policies, to identify potential exposure to these vulnerabilities.
3. Update Legacy Systems: For devices running older versions, plan for an upgrade to supported versions to receive ongoing security updates.
4. Monitor for Unusual Activity: Implement monitoring to detect any signs of exploitation or unauthorized access attempts.
Conclusion
The discovery and prompt patching of these vulnerabilities underscore the critical importance of maintaining up-to-date security measures and configurations. Organizations must remain vigilant, ensuring that their systems are patched and configured securely to mitigate potential threats.
