What percentage of Sophos Firewall installations are vulnerable?

According to Sophos estimates, the vulnerabilities require specific configurations to be exploited, which covers less than 5% of the total install base. This means the majority of Sophos Firewall deployments are not vulnerable due to configuration requirements.

What is CVE-2025-6704?

CVE-2025-6704 is an arbitrary file writing vulnerability in the Secure PDF eXchange (SPX) feature with a CVSS score of 9.8. It can lead to pre-authentication remote code execution if a specific configuration of SPX is enabled in combination with the firewall running in High Availability (HA) mode.

What is CVE-2025-7624?

CVE-2025-7624 is a SQL injection vulnerability in the legacy transparent SMTP proxy with a CVSS score of 9.8. The flaw can lead to remote code execution if a quarantining policy is active for email and SFOS was upgraded from a version older than 21.0 GA.

What is CVE-2025-7382?

CVE-2025-7382 is a command injection vulnerability in WebAdmin with a CVSS score of 8.8. This flaw can lead to adjacent attackers achieving pre-authentication code execution on High Availability (HA) auxiliary devices if OTP authentication for the admin user is enabled.

What is CVE-2024-13974?

CVE-2024-13974 is a business logic vulnerability in the Up2Date component with a CVSS score of 8.1. The flaw can lead to attackers controlling the firewall's DNS environment to achieve remote code execution.

What is CVE-2024-13973?

CVE-2024-13973 is a post-authentication SQL injection vulnerability in WebAdmin with a CVSS score of 6.8. This vulnerability can potentially lead to administrators achieving arbitrary code execution.

Which Sophos Firewall versions are affected by these vulnerabilities?

CVE-2024-13974 and CVE-2024-13973 affect Sophos Firewall v21.0 GA (21.0.0) and older versions. CVE-2025-6704, CVE-2025-7624, and CVE-2025-7382 impact Sophos Firewall v21.5 GA (21.5.0) and older versions.

When were patches released for these Sophos vulnerabilities?

CVE-2025-6704 hotfixes were published on June 24, 2025, with additional hotfixes on July 1, 2025. CVE-2025-7624 hotfixes were published on July 15, 2025, for all supported versions. Organizations using automatic hotfix installation received these critical patches without manual intervention.

What should organizations do about these Sophos vulnerabilities?

Organizations should update their Sophos firewalls and verify that hotfixes have been properly applied to their firewall deployments. This is critical for maintaining network security and preventing potential exploitation.

Do these vulnerabilities require authentication to exploit?

Most of these vulnerabilities can be exploited without authentication. CVE-2025-6704 and CVE-2025-7382 can lead to pre-authentication remote code execution, while CVE-2025-7624 also enables remote code execution. Only CVE-2024-13973 requires post-authentication access.

What specific configurations make Sophos Firewalls vulnerable?

Specific vulnerable configurations include: SPX enabled with High Availability mode (CVE-2025-6704), quarantining policy active for email with upgrades from pre-21.0 GA versions (CVE-2025-7624), and OTP authentication enabled for admin users on HA auxiliary devices (CVE-2025-7382).

Which versions include the fixes for these Sophos vulnerabilities?

The fixes for CVE-2025-6704 were first included in version 21.0 MR2 and newer releases. Hotfixes were also made available for versions 19.0 MR2, 20.0 MR2, 20.0 MR3, 21.0 GA, 21.0 MR1-2, and 21.5 GA. CVE-2025-7624 hotfixes were published for all supported versions including 19.0 MR2 through 21.5 GA.

What is the highest CVSS score among these Sophos vulnerabilities?

The highest CVSS scores are 9.8, assigned to both CVE-2025-6704 (arbitrary file writing in SPX) and CVE-2025-7624 (SQL injection in legacy transparent SMTP proxy). These represent critical severity vulnerabilities with maximum impact potential.

Are automatic updates available for these Sophos patches?

Yes, organizations using automatic hotfix installation received these critical patches without manual intervention. However, organizations should still verify that hotfixes have been properly applied to their firewall deployments.

Advisory

Sophos fixes Firewall vulnerabilities that enable unauthenticated remote code execution

published: July 23, 2025

Take action: If you are using Sophos Firewall, check the advisory in detail for the specific configurations that are vulnerable. If you have such a config, patch ASAP. Otherwise, plan a regular patch cycle.

Learn More

Sophos has patched multiple security vulnerabilities in Sophos Firewall that could enable attackers to achieve remote code execution and compromise network infrastructure. The issues require specific configuration to be exploited, which per Sophos estimates covers less than 5% of total install base.

Vulnerabilities summary

CVE-2025-6704 (CVSS score 9.8) - arbitrary file writing vulnerability in the Secure PDF eXchange (SPX) feature that can lead to pre-authentication remote code execution if a specific configuration of SPX is enabled in combination with the firewall running in High Availability (HA) mode.
CVE-2025-7624 (CVSS score 9.8) - SQL injection vulnerability in the legacy transparent SMTP proxy. The flaw can lead to remote code execution if a quarantining policy is active for email and SFOS was upgraded from a version older than 21.0 GA.
CVE-2025-7382 (CVSS score 8.8) - command injection vulnerability in WebAdmin. This flaw can lead to adjacent attackers achieving pre-authentication code execution on High Availability (HA) auxiliary devices if OTP authentication for the admin user is enabled.
CVE-2024-13974 (CVSS score 8.1) - business logic vulnerability in the Up2Date component. The flaw can lead to attackers controlling the firewall's DNS environment to achieve remote code execution.
CVE-2024-13973 (CVSS score 6.8) - post-authentication SQL injection vulnerability in WebAdmin that can potentially lead to administrators achieving arbitrary code execution.

Affected versions:

CVE-2024-13974 and CVE-2024-13973 affect Sophos Firewall v21.0 GA (21.0.0) and older versions,
CVE-2025-6704, CVE-2025-7624, and CVE-2025-7382 impact Sophos Firewall v21.5 GA (21.5.0) and older versions.

Patched versions

CVE-2025-6704 hotfixes were published on June 24, 2025, for versions 19.0 MR2, 20.0 MR2, 20.0 MR3, 21.0 GA, 21.0 MR1-2, and 21.5 GA, with additional hotfixes on July 1, 2025, for 21.0 MR1 and 21.0 MR1-1. The fixes were first included in version 21.0 MR2 and newer releases.
CVE-2025-7624 hotfixes were published on July 15, 2025, for all supported versions including 19.0 MR2, 20.0 MR2, 20.0 MR3, 21.0 GA, 21.0 MR1, 21.0 MR1-1, 21.0 MR1-2, and 21.5 GA. Organizations using automatic hotfix installation received these critical patches without manual intervention.

Organizations should update their Sophos firewalls and verify that hotfixes have been properly applied to their firewall deployments.

Sophos fixes Firewall vulnerabilities that enable unauthenticated remote code execution

Read More
Elastic reports critical vulnerabilities in Kibana, releases patch
Critical Cisco IMC Authentication Bypass Allows Remote Administrative …
Data centre PDU Dataprobe iBoot fixes Vulnerabilities including …
Cisco patches three critical and one actively exploited …
Critical SAP NetWeaver vulnerability under active exploitation