Sophos has disclosed five independent security vulnerabilities affecting its Firewall products, with two critical vulnerabilities enabling attackers to achieve remote code execution without authentication.
The cybersecurity vendor published the advisory on July 21, 2025, detailing vulnerabilities that impact specific configurations of Sophos Firewall installations, though the affected device populations remain relatively small at less than 1% for most issues.
The most severe vulnerabilities, CVE-2025-6704 and CVE-2025-7624, both carry critical severity ratings and enable remote code execution capabilities.
CVE-2025-6704 represents an arbitrary file writing vulnerability within the Secure PDF eXchange (SPX) feature that can lead to pre-authentication remote code execution when specific SPX configurations are enabled alongside High Availability (HA) mode operation.
This particular vulnerability affects approximately 0.05% of Sophos Firewall devices, making it a highly targeted but potentially devastating security vulnerability.
The second critical vulnerability, CVE-2025-7624, involves an SQL injection vulnerability in the legacy transparent SMTP proxy component.
This vulnerability can escalate to remote code execution when quarantining policies are active for email processing and the Sophos Firewall Operating System (SFOS) has been upgraded from versions predating 21.0 GA.
The impact scope for this vulnerability reaches up to 0.73% of deployed devices. Both critical vulnerabilities were discovered and responsibly disclosed through Sophos’ bug bounty program by external security researchers.
Critical Sophos Firewall Vulnerabilities
Beyond the critical vulnerabilities, security researchers identified three additional vulnerabilities of varying severity levels:
- CVE-2025-7382 (High Severity): A command injection vulnerability in the WebAdmin interface that enables adjacent attackers to achieve pre-authentication code execution on High Availability auxiliary devices when one-time password (OTP) authentication is enabled for administrative users. This vulnerability impacts approximately 1% of devices in specific configurations.
- CVE-2024-13974 (High Severity): A business logic vulnerability in the Up2Date component that allows attackers controlling the firewall’s DNS environment to achieve remote code execution. The UK’s National Cyber Security Centre (NCSC) played a crucial role in responsibly disclosing this vulnerability to Sophos.
- CVE-2024-13973 (Medium Severity): A post-authentication SQL injection vulnerability in WebAdmin that could enable administrators to execute arbitrary code. This vulnerability was also responsibly disclosed by the UK’s National Cyber Security Centre (NCSC).
Hotfixes Deployed, No Evidence of Exploitation
Sophos has proactively addressed all identified vulnerabilities through automatic hotfix deployments, with no manual intervention required for customers utilizing the default “Allow automatic installation of hotfixes” setting.
The remediation timeline spans from January 2025 for the earliest fixes to July 2025 for the most recent patches. CVE-2025-6704 received hotfixes beginning June 24, 2025, while CVE-2025-7624 was addressed starting July 15, 2025.
The company reports no evidence of active exploitation of these vulnerabilities in the wild, suggesting that the coordinated disclosure process and rapid hotfix deployment prevented widespread abuse.
Organizations running supported versions of Sophos Firewall (v19.0 MR2 and newer) should verify hotfix installation through the vendor’s provided verification procedures.
Users operating legacy versions prior to the supported range must upgrade their systems to receive these critical security protections and maintain adequate defense against potential exploitation attempts.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
