Sophos has disclosed multiple critical security vulnerabilities affecting its Firewall products, with the most severe flaws enabling pre-authentication remote code execution that could allow attackers to completely compromise affected systems.
The cybersecurity company released hotfixes for five independent vulnerabilities, two of which carry critical severity ratings and pose significant risks to enterprise networks worldwide.
Severe Pre-Authentication Vulnerabilities Discovered
The most concerning vulnerability, tracked as CVE-2025-6704, represents an arbitrary file writing flaw in the Secure PDF eXchange (SPX) feature that can lead to pre-authentication remote code execution.
| CVE ID | Severity | Description | Affected Versions |
| CVE-2025-6704 | Critical | Arbitrary file writing in SPX feature leading to pre-auth RCE | v21.5 GA and older |
| CVE-2025-7624 | Critical | SQL injection in legacy SMTP proxy leading to RCE | v21.5 GA and older |
| CVE-2025-7382 | High | Command injection in WebAdmin enabling pre-auth RCE on HA devices | v21.5 GA and older |
| CVE-2024-13974 | High | Business logic flaw in Up2Date component | v21.0 GA and older |
| CVE-2024-13973 | Medium | Post-auth SQL injection in WebAdmin | v21.0 GA and older |
This critical vulnerability specifically affects firewalls running in High Availability (HA) mode with specific SPX configurations enabled, impacting approximately 0.05% of deployed devices.
The flaw was discovered and responsibly disclosed through Sophos’s bug bounty program by an external security researcher.
Equally dangerous is CVE-2025-7624, a SQL injection vulnerability residing in the legacy transparent SMTP proxy component.
This critical flaw can lead to remote code execution when a quarantining policy is active for email and the Sophos Firewall was upgraded from versions older than 21.0 GA. The vulnerability potentially affects up to 0.73% of devices in the field.
Three additional vulnerabilities compound the security concerns. CVE-2025-7382 presents a command injection vulnerability in WebAdmin that enables adjacent attackers to achieve pre-authentication code execution on High Availability auxiliary devices when OTP authentication is enabled for admin users.
The remaining vulnerabilities include CVE-2024-13974, a business logic flaw in the Up2Date component that allows attackers controlling the firewall’s DNS environment to achieve remote code execution.
CVE-2024-13973 represents a post-authentication SQL injection vulnerability in WebAdmin that could enable administrators to execute arbitrary code.
The company emphasizes that no action is required for users with automatic hotfix installation enabled. Critical and high-severity vulnerabilities received immediate hotfix remediation, with deployment dates ranging from January 2025 through July 2025.
Organizations should verify hotfix application and ensure they’re running supported Sophos Firewall versions. Currently, Sophos reports no observed exploitation of these vulnerabilities in the wild.
Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now
