Overview
Sophos has resolved five independent security vulnerabilities in Sophos Firewall.
Every Critical and High severity vulnerability was remediated through hotfixes.
No action is required for Sophos Firewall customers to receive these fixes with the "Allow automatic installation of hotfixes" feature enabled on remediated versions (see Remediation section below). Enabled is the default setting.
| CVE ID | Description | Severity |
|---|---|---|
| CVE-2025-6704 | An arbitrary file writing vulnerability in the Secure PDF eXchange (SPX) feature can lead to pre-auth remote code execution, if a specific configuration of SPX is enabled in combination with the firewall running in High Availability (HA) mode. The issue, impacting about 0.05% of devices, was discovered and responsibly disclosed to Sophos by an external security researcher via the Sophos bug bounty program. | CRITICAL |
| CVE-2025-7624 | An SQL injection vulnerability in the legacy (transparent) SMTP proxy can lead to remote code execution, if a quarantining policy is active for Email and SFOS was upgraded from a version older than 21.0 GA. The issue, impacting at most 0.73% of devices, was discovered and responsibly disclosed to Sophos by an external security researcher via the Sophos bug bounty program. | CRITICAL |
| CVE-2025-7382 | A command injection vulnerability in WebAdmin can lead to adjacent attackers achieving pre-auth code execution on High Availability (HA) auxiliary devices, if OTP authentication for the admin user is enabled. The issue, impacting about 1% of devices, was discovered and responsibly disclosed to Sophos by an external security researcher via the Sophos bug bounty program. | HIGH |
| CVE-2024-13974 | A business logic vulnerability in the Up2Date component can lead to attackers controlling the firewall’s DNS environment to achieve remote code execution. The issue was discovered and responsibly disclosed to Sophos by an external security researcher. Sophos would like to thank The UK's National Cyber Security Centre (NCSC) for responsibly disclosing the issue to Sophos. | HIGH |
| CVE-2024-13973 | A post-auth SQL injection vulnerability in WebAdmin can potentially lead to administrators achieving arbitrary code execution. The issue was discovered and responsibly disclosed to Sophos by an external security researcher. Sophos would like to thank The UK's National Cyber Security Centre (NCSC) for responsibly disclosing the issue to Sophos. | MEDIUM |
Applies to the following Sophos product(s) and version(s)
- CVE-2024-13974, CVE-2024-13973:
- Sophos Firewall v21.0 GA (21.0.0) and older
- CVE-2025-6704, CVE-2025-7624, CVE-2025-7382:
- Sophos Firewall v21.5 GA (21.5.0) and older
Remediation
- Ensure you are running a supported version
- CVE-2025-6704:
- Hotfixes for the following supported versions published on:
- June 24 2025 for 19.0 MR2 (19.0.2.472), 20.0 MR2 (20.0.2.378), 20.0 MR3 (20.0.3.427), 21.0 GA (21.0.0.169), 21.0 MR1-2 (21.0.1.277), 21.5 GA (21.5.0.171)
- July 1 2025 for 21.0 MR1 (21.0.1.237), 21.0 MR1-1 (21.0.1.272)
- Fix first included in v21.0 MR2 and newer
- Hotfixes for the following supported versions published on:
- CVE-2025-7624:
- Hotfixes for the following supported versions published on:
- July 15 2025 for 19.0 MR2 (19.0.2.472), 20.0 MR2 (20.0.2.378), 20.0 MR3 (20.0.3.427), 21.0 GA (21.0.0.169), 21.0 MR1 (21.0.1.237), 21.0 MR1-1 (21.0.1.272), 21.0 MR1-2 (21.0.1.277), 21.5 GA (21.5.0.171)
- Fix first included in v21.0 MR2 and newer
- Hotfixes for the following supported versions published on:
- CVE-2025-7382:
- Hotfixes for the following supported versions published on:
- June 30 2025 for 19.0 MR2 (19.0.2.472), 20.0 MR2 (20.0.2.378), 20.0 MR3 (20.0.3.427), 21.0 GA (21.0.0.169), 21.0 MR1-2 (21.0.1.277), 21.5 GA (21.5.0.171)
- July 2 2025 for 21.0 MR1 (21.0.1.237), 21.0 MR1-1 (21.0.1.272)
- Fix first included in v21.0 MR2 and newer
- Hotfixes for the following supported versions published on:
- CVE-2024-13974:
- Hotfixes for the following supported versions published on:
- January 6 2025 for 19.0 MR2 (19.0.2.472)
- January 7 2025 for 20.0 MR2 (20.0.2.378), 20.0 MR3 (20.0.3.427), 21.0 GA (21.0.0.169)
- Fix first included in v21.0 MR1 and newer
- Hotfixes for the following supported versions published on:
- CVE-2024-13973:
- Fix first included in v21.0 MR1 and newer
- Users of older versions of Sophos Firewall are required to upgrade to receive the latest protections, and this fix
Verifying the hotfix
- To confirm that the hotfixes have been applied to your firewall, please refer to https://support.sophos.com/support/s/article/KBA-000010589?language=en_US.
Vulnerability investigation
Sophos has not observed these vulnerabilities to be exploited at this time.
Related information
- https://www.cve.org/CVERecord?id=CVE-2025-6704
- https://www.cve.org/CVERecord?id=CVE-2025-7624
- https://www.cve.org/CVERecord?id=CVE-2025-7382
- https://www.cve.org/CVERecord?id=CVE-2024-13974
- https://www.cve.org/CVERecord?id=CVE-2024-13973
- https://support.sophos.com/support/s/article/KBA-000010589?language=en_US