Sophos this week announced the rollout of patches for five vulnerabilities in Sophos Firewall that could lead to remote code execution (RCE).
The first issue, tracked as CVE-2025-6704 (CVSS score of 9.8), is a critical arbitrary file writing flaw in the Secure PDF eXchange (SPX) feature of the appliance that could allow remote, unauthenticated attackers to execute arbitrary code.
According to Sophos’s advisory, the bug impacts only a fraction of firewall deployments, as it can only be triggered if a specific configuration of SPX is enabled and if the firewall is running in High Availability (HA) mode.
The second defect, tracked as CVE-2025-7624 (CVSS score of 9.8), is an SQL injection issue in the legacy SMTP proxy of the appliance.
Also leading to RCE, the vulnerability only occurs “if a quarantining policy is active for Email and SFOS was upgraded from a version older than 21.0 GA”. Thus, it impacts less than 1% of devices, Sophos says.
The company also resolved a high-severity command injection bug in the WebAdmin component of the firewall that could allow remote, unauthenticated attackers to execute arbitrary code on High Availability (HA) auxiliary devices.
Tracked as CVE-2025-7382 (CVSS score of 8.8), the flaw can only be triggered if OTP authentication for the admin user is enabled.
Over the past month, Sophos released hotfixes to address these issues in Firewall versions 19.0 MR2 (19.0.2.472), 20.0 MR2 (20.0.2.378), 20.0 MR3 (20.0.3.427), 21.0 GA (21.0.0.169), 21.0 MR1 (21.0.1.237), 21.0 MR1-1 (21.0.1.272), 21.0 MR1-2 (21.0.1.277), and 21.5 GA (21.5.0.171).
The patches were also included in version 21.0 MR2 of the appliance.
The last two bugs described in Sophos’ advisory, CVE-2024-13974 and CVE-2024-13973, were discovered in the appliance’s Up2Date and WebAdmin components. Their exploitation requires that the attackers control the firewall’s DNS environment and that they are logged in as administrators, respectively.
Patches for these security defects were first included in Sophos Firewall version 21.0 MR1.
Customers running older versions of the firewall are required to upgrade to receive these patches, the company says. Sophos notes that it has not observed these flaws being exploited in the wild.
Related: Sophos Patches Critical Firewall Vulnerabilities
Related: Oracle Patches 200 Vulnerabilities With July 2025 CPU
Related: ICS Patch Tuesday: Vulnerabilities Addressed by Siemens, Schneider, Phoenix Contact
Related: Unpatched Ruckus Vulnerabilities Allow Wireless Environment Hacking
