Analysis Summary

Sophos has disclosed multiple high-impact vulnerabilities affecting Sophos Firewall versions 21.5 GA and earlier, including two critical flaws CVE-2025-6704 and CVE-2025-7624 that allow pre-authentication remote code execution. These critical issues could enable attackers to compromise vulnerable devices without needing valid credentials, presenting a serious risk to exposed systems. Although no active exploitation has been reported, Sophos has deployed automatic hotfixes to mitigate the most severe threats, with users urged to confirm that their devices are fully patched.

CVE-2025-6704 is the most critical, affecting the Secure PDF eXchange (SPX) feature in High Availability (HA) mode. This arbitrary file writing vulnerability can be exploited without authentication, potentially enabling full remote control of the system. Though it affects a small percentage (0.05%) of devices, its severity is extreme. Similarly, CVE-2025-7624 exposes a SQL injection vulnerability in the legacy transparent SMTP proxy, impacting systems with legacy email quarantine policies. This too allows pre-auth RCE and affects up to 0.73% of devices, demonstrating the persistent risks posed by outdated legacy components.

Other serious vulnerabilities include CVE-2025-7382, a command injection flaw in the WebAdmin interface that allows pre-auth RCE from adjacent network locations under specific HA configurations with OTP enabled. CVE-2024-13974, reported by the UK’s NCSC, is a business logic flaw in the Up2Date feature, allowing manipulation of the firewall’s DNS environment to achieve RCE. Additionally, CVE-2024-13973 is a post-authentication SQL injection in WebAdmin that allows admins to execute arbitrary code, less severe but still important in shared admin environments.

Sophos has responded with a multi-phase hotfix strategy, prioritizing automatic updates for critical vulnerabilities. Most users running supported versions (e.g., 19.0 MR2, 20.0 MR2/MR3, and 21.0 GA) have received patches without manual intervention, but administrators are advised to verify patch status using Sophos documentation. While no exploitation has yet been detected, organizations should review HA configurations, restrict admin access, and retire legacy settings where possible to minimize exposure and strengthen overall network security posture.

Impact

• Data Manipulation
• Gain Access
• Code Execution

Indicators of Compromise

CVE

• CVE-2025-6704

• CVE-2025-7624

• CVE-2025-7382

• CVE-2024-13974

• CVE-2024-13973

Affected Vendors

Affected Products

• Sophos Firewall - 21.0.0
• Sophos Firewall - 21.5

Remediation

• Upgrade to the latest supported version of Sophos Firewall.
• Ensure automatic hotfix installation is enabled. This is the default setting and applies critical patches automatically.
• Verify hotfix application status using official Sophos support documentation or the firewall's admin interface.
• Disable or reconfigure legacy features such as the transparent SMTP proxy and SPX features if not required.
• Review and limit use of High Availability (HA) mode configurations, especially if not essential.
• Restrict WebAdmin interface access to trusted internal networks and authorized personnel only.
• Apply strong access controls for administrative users, including enforcing OTP where possible.
• Regularly audit firewall configurations for outdated policies or legacy components that could introduce vulnerabilities.
• Monitor logs for unusual behavior related to file writing, email quarantine, or configuration changes.
• Follow a defense-in-depth strategy, including network segmentation and endpoint monitoring, to reduce attack surface.