In July 2025, cybersecurity firms Sophos and SonicWall disclosed critical vulnerabilities in their respective products—Sophos Firewall and SonicWall’s Secure Mobile Access (SMA) 100 Series appliances. These flaws could potentially allow remote code execution (RCE), posing significant security risks to organizations worldwide.
Sophos Firewall Vulnerabilities
Sophos identified multiple vulnerabilities within its firewall products:
1. CVE-2025-6704: This critical arbitrary file writing vulnerability resides in the Secure PDF eXchange (SPX) feature. Exploitation is possible if SPX is configured in a specific manner and the firewall operates in High Availability (HA) mode. The flaw carries a CVSS score of 9.8. ([securityweek.com](https://www.securityweek.com/critical-vulnerabilities-patched-in-sophos-firewall/?utm_source=openai))
2. CVE-2025-7624: An SQL injection vulnerability found in the legacy SMTP proxy can lead to RCE. This issue arises when a quarantining policy is active for email, and the firewall has been upgraded from a version older than 21.0 GA. It also has a CVSS score of 9.8. ([securityweek.com](https://www.securityweek.com/critical-vulnerabilities-patched-in-sophos-firewall/?utm_source=openai))
Additionally, Sophos addressed other vulnerabilities:
– CVE-2025-7382: A high-severity command injection vulnerability in the WebAdmin component could result in pre-authentication code execution on HA auxiliary devices, particularly if One-Time Password (OTP) authentication for the admin user is enabled. This flaw has a CVSS score of 8.8. ([securityweek.com](https://www.securityweek.com/critical-vulnerabilities-patched-in-sophos-firewall/?utm_source=openai))
– CVE-2024-13974: A business logic vulnerability in the Up2Date component allows attackers to control the firewall’s DNS environment, potentially leading to RCE. This issue has a CVSS score of 8.1. ([securityweek.com](https://www.securityweek.com/critical-vulnerabilities-patched-in-sophos-firewall/?utm_source=openai))
– CVE-2024-13973: A post-authentication SQL injection vulnerability in WebAdmin could enable administrators to execute arbitrary code. It carries a CVSS score of 6.8. ([securityweek.com](https://www.securityweek.com/critical-vulnerabilities-patched-in-sophos-firewall/?utm_source=openai))
The U.K. National Cyber Security Centre (NCSC) discovered and reported both CVE-2024-13974 and CVE-2024-13973. These vulnerabilities affect Sophos Firewall versions up to 21.0 GA (21.0.0) and older. Sophos has released patches to address these issues and urges users to update their systems promptly. ([securityweek.com](https://www.securityweek.com/critical-vulnerabilities-patched-in-sophos-firewall/?utm_source=openai))
SonicWall SMA 100 Series Vulnerability
SonicWall disclosed a critical vulnerability in the SMA 100 Series web management interface:
– CVE-2025-40599: This flaw allows a remote attacker with administrative privileges to upload arbitrary files, potentially leading to RCE. It has a CVSS score of 9.1 and affects SMA 100 Series products, including SMA 210, 410, and 500v. SonicWall has addressed this vulnerability in version 10.2.2.1-90sv. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/sonicwall-urges-admins-to-patch-vpn-flaw-exploited-in-attacks/?utm_source=openai))
While there have been no reports of this vulnerability being exploited in the wild, SonicWall highlights a potential risk. The Google Threat Intelligence Group (GTIG) identified a threat actor, UNC6148, leveraging fully-patched SMA 100 series devices to deploy a backdoor named OVERSTEP. This underscores the importance of applying patches promptly. ([techradar.com](https://www.techradar.com/pro/security/hacker-using-backdoor-to-exploit-sonicwall-secure-mobile-access-to-steal-credentials?utm_source=openai))
Recommended Actions
Both Sophos and SonicWall recommend immediate action to mitigate these vulnerabilities:
– For Sophos Firewall Users:
– Update to the latest firmware versions as provided by Sophos.
– Review and adjust SPX configurations, especially in HA mode.
– Ensure that email quarantining policies are correctly configured.
– For SonicWall SMA 100 Series Users:
– Upgrade to firmware version 10.2.2.1-90sv or later.
– Disable remote management access on the external-facing interface (X1) to reduce the attack surface.
– Reset all passwords and reinitialize OTP bindings for users and administrators.
– Enforce multi-factor authentication (MFA) for all users.
– Enable the Web Application Firewall (WAF) on SMA 100 devices.
Organizations are also advised to review appliance logs and connection histories for anomalies and signs of unauthorized access. Implementing these measures will help safeguard systems against potential exploits targeting these vulnerabilities.
