270/68 Friday, July 25, 2025
Sophos has released fixes for five vulnerabilities affecting its Sophos Firewall product, including two critical flaws that could allow unauthenticated remote code execution (RCE), potentially enabling attackers to gain full control over affected devices. The vulnerabilities addressed include:
- CVE-2025-6704 (CVSS 9.8): A critical flaw in the SPX feature of Sophos Firewall that allows unauthenticated attackers to execute commands remotely if High Availability (HA) mode is enabled. While the impact is limited to approximately 0.05% of devices, it remains a severe vulnerability, discovered through a bug bounty program.
- CVE-2025-7624 (CVSS 9.8): A critical SQL Injection vulnerability in the legacy SMTP proxy system of Sophos Firewall. Devices that have email quarantine enabled and were upgraded from versions prior to 21.0 GA are at risk of being exploited remotely. Around 0.73% of devices are affected.
- CVE-2025-7382 (CVSS 8.8): A Command Injection vulnerability in WebAdmin, which allows attackers within the same network (e.g., same LAN) to execute commands on secondary HA devices if OTP is enabled.
- CVE-2024-13974 (CVSS 8.1): A Business Logic Flaw in the Up2Date feature, which can let attackers manipulate DNS settings and execute remote code.
- CVE-2024-13973: A medium-severity vulnerability with undisclosed details, but it has already been patched.
Sophos confirmed that all five vulnerabilities have been addressed via a hotfix. No user action is required if the “Allow automatic installation of hotfixes” setting is enabled by default. However, users are advised to verify that automatic updates are active to ensure full protection.
