Sophos has just announced five independent security vulnerabilities in its Sophos Firewall product, including two serious ones that allow remote code execution without authentication. The announcement, released on July 21, 2025, emphasized that these vulnerabilities affect certain configurations, although the percentage of affected devices remains below 1% in most cases.

sophos firewall.png

The two most serious vulnerabilities are CVE-2025-6704 and CVC-215-7624, both of which reach “critical” severity and allow the attacker to execute code remotely without authentication. CVE – 2025-6704 is an arbitrary file write vulnerability in the Secure PDF eXchange (SPX) feature, which can be exploited to remotely execute code in an unauthenticated environment when a specific SPX configuration is enabled along with High Availability mode. The vulnerability only affects about 0.05% of Sophos Firewall devices but poses a high risk. Meanwhile, CVE – 2025-7624 is an SQL injection vulnerability in the old SMTP proxy component, allowing remote code execution when email isolation policy is enabled, and the Sophos Firewall operating system has been upgraded from versions prior to 21.0 GA. The scope of the vulnerability is wider, up to 0.73% of the equipment is deployed.

Both vulnerabilities were discovered and reported responsible by security researchers through Sophos’ bug bounty program.

Three other breaches were also noted with high to moderate severity.

  • CVE – 2025-7382 (high – level): Command injection vulnerability in the WebAdmin interface, which allows adjacency attackers to remotely execute code on subdevices when High Availability mode is enabled and OTP is enabled for administrator accounts. The vulnerability affects about 1% of Sophos Firewall devices.
  • CVE – 2024-13974 (high level): Professional logic error in Up2Date component, allowing attacker to control firewall DNS environment for remote code execution. The breach was discovered and reported by the British National Cybersecurity Centre (NCSC).
  • CVE-2024-13973 (medium level): Post-authorization SQL injection vulnerability in WebAdmin, which can be used to execute arbitrary code. This is also the vulnerability discovered and revealed by the NCSC.

All vulnerabilities have been processed by Sophos with automatic patches via the default hotfix mechanism, requiring no manual intervention if the “Allow automatic installation of hotfixes” option is enabled. Repairs began from January 2025 to July 2030, with CVE – 2019-6704 patched from June 24, and CV E – 7624 from July 15. Sophos asserted there was no evidence that these vulnerabilities were exploited in practice, indicating the effectiveness of the coordinated publication process and timely patches.

Organizations operating Sophos Firewall from version 19.0 MR2 and above should check the status of hotfix installation according to the manufacturer’s instructions. Systems that use older versions need to be upgraded to ensure they receive the latest protection against exploitation.

According to Cyber Press