Critical Sophos Firewall Vulnerabilities Enables pre-auth Remote Code Execution

Multiple security vulnerabilities affecting Sophos firewall products, with two enabling pre-authentication remote code execution that could allow attackers to compromise systems without valid credentials. 

The vulnerabilities, tracked as CVE-2025-6704, CVE-2025-7624, CVE-2025-7382, CVE-2024-13974, and CVE-2024-13973, impact various configurations of Sophos Firewall versions 21.5 GA and older, with automatic hotfixes already deployed to address the most severe flaws.

Key Takeaways
1. Five serious flaws in Sophos Firewall, including pre-auth remote code execution, have been patched.
2. Automatic hotfixes protect most users; no manual action is needed.
3. No exploitation detected, but users should confirm their firewalls are updated.

Critical Pre-Authentication Vulnerabilities 

The most severe vulnerability, CVE-2025-6704, represents an arbitrary file writing flaw in the Secure PDF eXchange (SPX) feature that enables pre-authentication remote code execution. 

This critical vulnerability specifically affects devices running in High Availability (HA) mode with specific SPX configurations enabled, impacting approximately 0.05% of deployed devices. 

Security researchers discovered this flaw through Sophos’s bug bounty program and responsibly disclosed it to the company.

Equally concerning is CVE-2025-7624, a SQL injection vulnerability in the legacy transparent SMTP proxy that can lead to remote code execution. 

This critical flaw affects systems with active quarantining policies for email and impacts devices upgraded from versions older than SFOS 21.0 GA, potentially affecting up to 0.73% of deployed firewalls. 

The vulnerability demonstrates how legacy components can introduce significant security risks in modern network infrastructure.

High and Medium Severity Flaws 

Beyond the critical pre-authentication vulnerabilities, CVE-2025-7382 presents a command injection vulnerability in WebAdmin that enables adjacent attackers to achieve pre-authentication code execution on HA auxiliary devices. 

This high-severity flaw requires OTP authentication for admin users to be enabled and affects approximately 1% of devices, highlighting risks in high-availability configurations.

The CVE-2024-13974 vulnerability exploits business logic flaws in the Up2Date component, allowing attackers to control the firewall’s DNS environment and achieve remote code execution. This high-severity issue was discovered and disclosed by the UK’s National Cyber Security Centre (NCSC). 

Additionally, CVE-2024-13973 represents a post-authentication SQL injection vulnerability in WebAdmin that could enable administrators to execute arbitrary code.

Mitigations

Sophos has implemented a multi-phase hotfix deployment strategy, with critical vulnerabilities receiving priority treatment. 

Organizations with automatic hotfix installation enabled receive these patches automatically, representing the default configuration. 

Sophos has confirmed no evidence of active exploitation for any of these vulnerabilities. 

Users running supported versions including 19.0 MR2, 20.0 MR2/MR3, and 21.0 GA variants should verify hotfix application through Sophos support documentation to ensure comprehensive protection against these critical security flaws.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now