Redazione RHC : 22 July 2025 07:35
Sophos recently announced the fixes for five independent security vulnerabilities found in its firewalls, some critical and others high and medium. The vulnerabilities have been fixed via automatically distributed hotfixes, without requiring customers to take action, provided that the “Allow automatic installation of hotfixes” option is enabled, which is enabled by default in affected versions.
Among the fixed vulnerabilities, two critical flaws stand out: the first (CVE-2025-6704) involves arbitrary file writing in the Secure PDF eXchange (SPX) feature, which could allow remote code execution before authentication in certain configurations in High Availability (HA) mode. The second (CVE-2025-7624) is a SQL injection in the legacy SMTP proxy which, when combined with an email quarantine policy and an upgrade from versions prior to 21.0 GA, can also lead to remote code execution. Both were responsibly reported by external researchers through the Sophos bug bounty program.
| CVE Identification | Description | Severity |
|---|---|---|
| CVE-2025-6704 | An arbitrary file write vulnerability in the Secure PDF eXchange (SPX) feature can lead to pre-authorization remote code execution if a specific SPX configuration is enabled in combination with the firewall in High Availability (HA) mode. The issue, which affects approximately 0.05% of devices, was discovered and responsibly reported to Sophos by a third-party security researcher via the Sophos bug bounty program. | CRITICAL |
| CVE-2025-7624 | A SQL injection vulnerability in the legacy (transparent) SMTP proxy could lead to remote code execution if an email quarantine policy is in effect and SFOS has been updated from a version prior to 21.0 GA. The issue, which affects up to 0.73% of devices, was discovered and responsibly reported to Sophos by a third-party security researcher via the Sophos bug bounty program. | CRITICAL |
| CVE-2025-7382 | A command injection vulnerability in WebAdmin could allow adjacent attackers to execute pre-authentication code on auxiliary high-availability (HA) devices if one-time authentication for the admin user is enabled. The issue, which affects approximately 1% of devices, was discovered and responsibly reported to Sophos by an external security researcher via the Sophos bug bounty program. | HIGH |
| CVE-2024-13974 | A vulnerability in the business logic of the Up2Date component could allow attackers to control the firewall’s DNS environment for remote code execution. The issue was discovered and responsibly reported to Sophos by an external security researcher. Sophos would like to thank the UK National Cyber Security Centre (NCSC) for responsibly reporting this issue to Sophos. | HIGH |
| CVE-2024-13973 | A post-authentication SQL injection vulnerability in WebAdmin could potentially allow administrators to execute arbitrary code. The issue was discovered and responsibly reported to Sophos by a third-party security researcher. Sophos would like to thank the UK National Cyber Security Centre (NCSC) for responsibly reporting this issue to Sophos. | MEDIUM |
Other vulnerabilities include CVE-2025-7382, a command injection in WebAdmin that could allow attackers on the local network to execute code before authentication on HA devices with OTP enabled, and CVE-2024-13974, a business logic flaw in the Up2Date component that allows attackers to control the firewall’s DNS environment for remote code execution. Finally, CVE-2024-13973 is a post-authentication SQL injection that could lead to an authenticated administrator executing arbitrary code. This issue is considered medium severity.
Fixes have been made available for several versions of the firewall. For example, hotfixes for CVE-2025-6704 were released on June 24, 2025 for versions such as 19.0 MR2, 20.0 MR2, 21.0 GA, and 21.5 GA, while other vulnerabilities received updates distributed between January and July 2025. For the vulnerabilities CVE-2024-13974 and CVE-2024-13973, fixes were included starting with version 21.0 MR1. Users running previous versions are encouraged to upgrade to maintain the highest level of protection.
To confirm that hotfixes have been applied correctly, Sophos recommends consulting the guide available on its support portal (KBA-000010589). The company thanked external researchers and the UK’s National Cyber Security Centre (NCSC) for their responsible vulnerability reporting, reiterating the importance of collaboration in continuously strengthening the security of its products.
Redazione