Sophos urges patching of critical vulnerabilities, allowing attackers to control the system remotely


Sophos recently announced and urged users to urgently patch five independent security vulnerabilities in the Sophos Firewall product, including two critical vulnerabilities that allow attackers to execute remote code without authentication (RCE). The announcement, released on July 21, 2025, emphasized that these vulnerabilities affect certain configurations, although the percentage of affected devices remains below 1% in most cases.
Overview
According to the FPT Threat Intelligence team, among the disclosed vulnerabilities, the two most serious ones actively exploited by hackers are CVE-2025-6704 and CVE-2025-7624. Both are rated as "critical" and allow attackers to execute remote code without authentication.
The CVE-2025-6704 vulnerability is in the Secure PDF Exchange (SPX) feature—a component used to send encrypted emails as password-protected PDF files, commonly found in the Sophos Firewall system. When users enable SPX, they can send secure emails to recipients without using PGP or S/MIME encryption methods. However, attackers have exploited this to write malicious files into the firewall system.
The CVE-2025-7624 vulnerability exists in the legacy mode SMTP proxy of Sophos Firewall, which is used to filter, inspect, and log incoming/outgoing emails. Additionally, this vulnerability allows remote code execution when the email quarantine policy is enabled and the Sophos Firewall operating system has been upgraded from versions prior to 21.0 GA. The impact of this vulnerability is broader, affecting up to 0.73% of deployed devices.
Affected Version
Product | Affected Version |
Sophos Firewall OS (SFOS) | All versions ≤ 21.5 GA (General Availability) |
Additional conditions | - SPX email protection is enabled |
- Firewall is not in HA (High Availability) mode |
Vulnerability Details
1. CVE-2025-6704 – Pre-authentication RCE via SPX
CVSS Score 9.8 (Critical)
Arbitrary file write vulnerability in the Secure PDF Exchange (SPX) function, appearing on devices not in High Availability (HA) mode with SPX enabled.
Relatively small scope, affecting about 0.05% of devices. Discovered through Sophos's bug bounty program.
2. CVE-2025-7624 – SQL Injection on SMTP Proxy
CVSS Score 9.8 (Critical)
SQL injection flaw in the legacy transparent SMTP proxy that can lead to RCE.
Some devices upgraded from SFOS versions < 21.0 GA using the quarantining policy are affected (~0.73% of devices).
3. CVE-2025-7382 – Command Injection on WebAdmin AUX HA
CVSS Score 8.8 (High)
Allows attackers on the local network to execute code on HA auxiliary devices, if the OTP function for WebAdmin is enabled.
Affects about 1% of devices.
4. CVE-2024-13974 – RCE via Up2Date
CVSS Score 8.2 (High)
Due to a business logic flaw in the Up2Date component, attackers can manipulate the firewall's DNS and execute remote code.
Discovered by the UK National Cyber Security Centre (NCSC).
5. CVE-2024-13973 – SQL Injection in WebAdmin
CVSS Score 6.6 (Medium)
Post-authentication SQL injection, allowing network admins to execute arbitrary code.
Exploit Stream
Vulnerability CVE-2025-7624
- As mentioned earlier, when an incoming email is processed by the proxy, data such as the sender's address, subject, or content is inserted into SQL statements without proper filtering. Through this, an attacker can send a specially crafted email, injecting SQL code into the subject or SMTP fields.
At that point, if Sophos's SMTP proxy processes the
Subject
field by embedding it directly into SQL statements without input sanitization, a hacker could:Delete the log table (quarantine_logs).
Overwrite files.
Or proceed to execute arbitrary commands if combined with other RCE vulnerabilities.
Vulnerability CVE-2025-6704
- According to experts, the attacker will send an email to the victim (with SPX enabled). The email's subject will naturally contain malicious code.
Here, the firewall will automatically receive the email and convert the content into an encrypted
PDF
file. However, there is a very serious error in thePDF
file processing step. SPX will attempt to write a temporary file containing metadata like the recipient's name, subject, etc., without properly controlling the file path or content.In the next step, the attacker can insert a payload into a field (e.g., Subject) to force SPX to write the file to any location on the system, such as
/tmp/shell.sh
,/var/www/html/backdoor.php
, or an important configuration file.
- If the firewall does not properly handle the input in the
Subject
, this line will create a PHP file with RCE malware in the web directory. Then, the attacker can accesshttps://firewall-ip/shell.php?cmd=id
and execute remote commands.
Recommendations & Remediation
Verify firewall version: Ensure you are running the latest patch ≥ 21.5 GA with the hotfix applied.
Enable automatic updates: Turn it back on if it was previously disabled.
Closely monitor SPX configuration, SMTP Proxy, WebAdmin OTP if using HA.
Check email filters and SMTP logs to detect signs of attacks through the proxy.
For internal systems with email running through the firewall, consider switching to a relay or dedicated email service.
Conclusion
Sophos quickly addressed the serious vulnerabilities; however, the update process needs to be confirmed and closely monitored. According to the company's recommendations, users should prioritize patching the two vulnerabilities CVE-2025-6704 and 7624, as they are the most dangerous pre-auth RCE vulnerabilities recorded in the campaign. The early deployment of the hotfix has reduced the risk, but continuous monitoring is necessary, especially for email configurations and HA.
References
Subscribe to my newsletter
Read articles from Lưu Tuấn Anh directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
