Urgent Sophos Firewall Update: Two Critical RCE Flaws (CVE-2025-6704, CVE-2025-7624) Patched via Hotfixes
Ddos 
Sophos has issued a security advisory detailing the remediation of five vulnerabilities in Sophos Firewall, including two critical flaws that could allow remote attackers to gain control of affected devices under specific conditions. The company assures customers that fixes have been automatically deployed via hotfixesβprovided the default auto-installation setting is enabled.
CVE-2025-6704: Pre-Auth RCE via SPX and HA Mode
This critical vulnerability arises from an arbitrary file writing flaw in the Secure PDF eXchange (SPX) feature. If SPX is enabled alongside High Availability (HA) mode, an attacker could exploit this to achieve pre-auth remote code execution.
CVE-2025-7624: RCE via SQL Injection in Legacy SMTP Proxy
The second critical vulnerability is an SQL injection flaw in the legacy SMTP proxy. Devices where a quarantining email policy is active and that were upgraded from versions older than 21.0 GA are vulnerable. Successful exploitation could also lead to remote code execution.
CVE-2025-7382: Command Injection in WebAdmin on HA Devices
A high-severity command injection bug in WebAdmin enables adjacent attackers to execute code pre-auth on HA auxiliary devices when OTP authentication is enabled for admin users.
CVE-2024-13974: DNS Hijack via Up2Date Logic Flaw
This high-severity vulnerability is tied to the Up2Date component and allows attackers to manipulate the firewallβs DNS environment to achieve remote code execution.
CVE-2024-13973: Post-Auth SQLi in WebAdmin
Lastly, a medium-severity SQL injection vulnerability was found in the WebAdmin interface. If exploited by an authenticated admin, it could result in arbitrary code execution.
Remediation and Recommendations
Sophos has released hotfixes for supported versions and recommends updating to at least version 21.0 MR1 or newer. For customers still on older versions, manual upgrades are required to receive the patches. Sophos emphasized that no active exploitation of these vulnerabilities has been observed so far.
Related Posts:
- Sophisticated Attacks Employ Cobalt Strike, DLL Sideloading, and Evolving Tactics
- CVE-2024-6342: Critical Command Injection Flaw in Zyxel NAS Devices, Hotfixes Released for End-of-Support Products
- Critical 0-day Sophos Firewall RCE Vulnerability
- CAPTCHA Trap: Fake Verification Unleashes Lumma Stealer on Unsuspecting Users
- Leaked LockBit Tools: Novice Hackers Target Vulnerabilities
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
