Sophos addressed five Sophos Firewall vulnerabilities that could allow remote attackers to execute arbitrary code.
Sophos has fixed five vulnerabilities (CVE-2025-6704, CVE-2025-7624, CVE-2025-7382, CVE-2024-13974, CVE-2024-13973) in Sophos Firewall that could allow an attacker to remotely execute arbitrary code.
“Sophos has resolved five independent security vulnerabilities in Sophos Firewall. Every Critical and High severity vulnerability was remediated through hotfixes.” reads the advisory. “No action is required for Sophos Firewall customers to receive these fixes with the “Allow automatic installation of hotfixes” feature enabled on remediated versions (see Remediation section below). Enabled is the default setting.”
The critical flaw CVE-2025-6704 (CVSS score of 9.8) in Sophos Firewall’s SPX feature can lead to pre-auth remote code execution if combined with HA mode. The issue affects ~0.05% of devices and was responsibly disclosed via Sophos’ bug bounty program.
The flaw CVE-2025-7624 (CVSS score of 9.8) is an SQL injection in Sophos Firewall’s legacy SMTP proxy that may allow remote code execution if email quarantining is active and the system was upgraded from pre-21.0 GA versions. It affects up to 0.73% of devices and was responsibly disclosed via Sophos’ bug bounty program.
The remaining flaws addressed by the cybersecurity firm are two high-severity vulnerabilities, respectively tracked as CVE-2025-7382 and CVE-2024-13974, and a medium-severity issue tracked as CVE-2024-13973.
CVE-2025-7382 (CVSS score of 8.8) is a command injection in WebAdmin that may allow adjacent attackers to execute code pre-auth on HA auxiliary devices if OTP is enabled. Affects ~1% of devices.
CVE-2024-13974 (CVSS score of 8.1) is a business logic flaw in the Up2Date component that could let attackers control DNS settings and achieve remote code execution. Both were responsibly disclosed.
In December 2024, Sophos fixed three Sophos Firewall flaws that could lead to SQL injection, privileged SSH access to devices, and remote code execution.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Sophos Firewall)
