Pre-Auth Remote Code Execution Flaws Patched in Sophos Firewall
Summary : Sophos has resolved several critical security vulnerabilities in its Firewall products, the most severe vulnerability could allow remote code execution without authentication, potentially giving attackers full control over impacted systems.
| OEM | Sophos |
| Severity | Critical |
| CVSS Score | 9.8 |
| CVEs | CVE-2025-6704, CVE-2025-7624 |
| POC Available | No |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
To address the issue, the Sophos has issued hotfixes for five separate vulnerabilities. Two of these are rated as critical and present a serious threat to enterprise networks around the globe.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Arbitrary file writing vulnerability in Secure PDF eXchange (SPX) feature | CVE-2025-6704 | Sophos Firewall | Critical | SFOS 21.0 MR2 (21.0.2) and later |
| SQL injection vulnerability in legacy SMTP proxy | CVE-2025-7624 | Sophos Firewall | Critical | SFOS 21.0 MR2 (21.0.2) and later |
Technical Summary
The CVE-2025-6704 and CVE-2025-7624 are identified in Sophos Firewall versions prior to 21.0 MR2 (21.0.2), both with a CVSS v3.1 base score of 9.8, indicating critical severity.
The CVE-2025-6704 involves an arbitrary file writing vulnerability within the Secure PDF eXchange (SPX) feature.
SPX is enabled and the firewall operates in High Availability (HA) mode, attackers can exploit this flaw to execute arbitrary code remotely without authentication. This pre-authentication remote code execution can lead to full system compromise, affecting confidentiality, integrity and availability.
CVE-2025-7624 pertains to an SQL injection vulnerability in the legacy (transparent) SMTP proxy of Sophos Firewall. If a quarantining policy is active for email and the system was upgraded from a version older than 21.0 GA, this weakness could potentially allow remote code execution.
Exploitation of this flaw can lead to unauthorized access, manipulation of firewall configurations, and potential lateral movement within the network.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-6704 | v21.5 GA and older | A rare SPX feature flaw in HA mode can allow pre-auth remote code execution, affecting 0.05% of devices. | Pre-auth remote code execution (RCE) in Sophos Firewall SPX feature |
| CVE-2025-7624 | v21.5 GA and older | An SQL injection in the legacy SMTP proxy can enable remote code execution if email quarantine is active and SFOS was upgraded from pre-21.0 GA. It affects up to 0.73% of devices. | Remote code execution via SMTP proxy |
In addition to the Critical Severity vulnerabilities, two other High and one medium severity issues were addressed.
CVE-2025-7382 – Command Injection in WebAdmin Interface (CVSS 8.8)
A WebAdmin command injection flaw allows adjacent pre-auth code execution on HA auxiliary devices if admin OTP is enabled.
CVE-2024-13974 – Business Logic Vulnerability in Up2Date Component (CVSS 8.1)
A business logic flaw in Up2Date lets attackers control firewall DNS to enable remote code execution.
CVE-2024-13973 – Post-Auth SQLi Vulnerability in WebAdmin (CVSS 6.8)
A post-auth SQL injection in WebAdmin allows admins to execute arbitrary code.
Remediation:
Users should immediately update Sophos Firewall to the latest patched version:
- For CVE-2025-6704, CVE-2025-7624, CVE-2025-7382: Upgrade to Sophos Firewall 21.0 MR2 (21.0.2) or later.
- For CVE-2024-13974 and CVE-2024-13973: Upgrade to Sophos Firewall 21.0 MR1 (20.0.1) or later.
If you are not using the Secure PDF eXchange (SPX) feature or legacy SMTP proxy, consider disabling them until they are patched.
Users operating legacy versions prior to the supported range must upgrade their systems to receive these critical security protections and maintain adequate defense against potential exploitation attempts.
Conclusion:
In Sophos Firewalls that allow attackers to execute code remotely without logging in. Although only a small percentage of devices are affected, the flaws are serious.
Fortunately, Sophos quickly pushed automatic fixes, and no attacks have been seen so far. Users should verify their firewalls are fully updated and have auto update enabled to stay protected.
The impact scope for this vulnerability reaches up to 0.73% of deployed devices. Both critical vulnerabilities were discovered and responsibly disclosed through Sophos’ bug bounty program by external security researchers.
References:
Recent Comments