Sophos recently announced and urged users to urgently patch five independent security vulnerabilities in the Sophos Firewall product, including two critical vulnerabilities that allow attackers to execute remote code without authentication (RCE). The announcement, released on July 21, 2025, emphasized that these vulnerabilities affect certain configurations, although the percentage of affected devices remains below 1% in most cases.

Overview

According to the FPT Threat Intelligence team, among the disclosed vulnerabilities, the two most serious ones actively exploited by hackers are CVE-2025-6704 and CVE-2025-7624. Both are rated as "critical" and allow attackers to execute remote code without authentication.

The CVE-2025-6704 vulnerability is in the Secure PDF Exchange (SPX) feature—a component used to send encrypted emails as password-protected PDF files, commonly found in the Sophos Firewall system. When users enable SPX, they can send secure emails to recipients without using PGP or S/MIME encryption methods. However, attackers have exploited this to write malicious files into the firewall system.

The CVE-2025-7624 vulnerability exists in the legacy mode SMTP proxy of Sophos Firewall, which is used to filter, inspect, and log incoming/outgoing emails. Additionally, this vulnerability allows remote code execution when the email quarantine policy is enabled and the Sophos Firewall operating system has been upgraded from versions prior to 21.0 GA. The impact of this vulnerability is broader, affecting up to 0.73% of deployed devices.

Affected Version

Product	Affected Version
Sophos Firewall OS (SFOS)	All versions ≤ 21.5 GA (General Availability)
Additional conditions	- SPX email protection is enabled
- Firewall is not in HA (High Availability) mode

Vulnerability Details

1. CVE-2025-6704 – Pre-authentication RCE via SPX

CVSS Score 9.8 (Critical)
Arbitrary file write vulnerability in the Secure PDF Exchange (SPX) function, appearing on devices not in High Availability (HA) mode with SPX enabled.
Relatively small scope, affecting about 0.05% of devices. Discovered through Sophos's bug bounty program.

2. CVE-2025-7624 – SQL Injection on SMTP Proxy

CVSS Score 9.8 (Critical)
SQL injection flaw in the legacy transparent SMTP proxy that can lead to RCE.
Some devices upgraded from SFOS versions < 21.0 GA using the quarantining policy are affected (~0.73% of devices).

3. CVE-2025-7382 – Command Injection on WebAdmin AUX HA

CVSS Score 8.8 (High)
Allows attackers on the local network to execute code on HA auxiliary devices, if the OTP function for WebAdmin is enabled.
Affects about 1% of devices.

4. CVE-2024-13974 – RCE via Up2Date

CVSS Score 8.2 (High)
Due to a business logic flaw in the Up2Date component, attackers can manipulate the firewall's DNS and execute remote code.
Discovered by the UK National Cyber Security Centre (NCSC).

5. CVE-2024-13973 – SQL Injection in WebAdmin

CVSS Score 6.6 (Medium)
Post-authentication SQL injection, allowing network admins to execute arbitrary code.

Exploit Stream

Vulnerability CVE-2025-7624
- As mentioned earlier, when an incoming email is processed by the proxy, data such as the sender's address, subject, or content is inserted into SQL statements without proper filtering. Through this, an attacker can send a specially crafted email, injecting SQL code into the subject or SMTP fields.

At that point, if Sophos's SMTP proxy processes the Subject field by embedding it directly into SQL statements without input sanitization, a hacker could:
- Delete the log table (quarantine_logs).
- Overwrite files.
- Or proceed to execute arbitrary commands if combined with other RCE vulnerabilities.

Vulnerability CVE-2025-6704
- According to experts, the attacker will send an email to the victim (with SPX enabled). The email's subject will naturally contain malicious code.

Here, the firewall will automatically receive the email and convert the content into an encrypted PDF file. However, there is a very serious error in the PDF file processing step. SPX will attempt to write a temporary file containing metadata like the recipient's name, subject, etc., without properly controlling the file path or content.
In the next step, the attacker can insert a payload into a field (e.g., Subject) to force SPX to write the file to any location on the system, such as /tmp/shell.sh, /var/www/html/backdoor.php, or an important configuration file.

If the firewall does not properly handle the input in the Subject, this line will create a PHP file with RCE malware in the web directory. Then, the attacker can access https://firewall-ip/shell.php?cmd=id and execute remote commands.

Recommendations & Remediation

Verify firewall version: Ensure you are running the latest patch ≥ 21.5 GA with the hotfix applied.
Enable automatic updates: Turn it back on if it was previously disabled.
Closely monitor SPX configuration, SMTP Proxy, WebAdmin OTP if using HA.
Check email filters and SMTP logs to detect signs of attacks through the proxy.
For internal systems with email running through the firewall, consider switching to a relay or dedicated email service.

Conclusion

Sophos quickly addressed the serious vulnerabilities; however, the update process needs to be confirmed and closely monitored. According to the company's recommendations, users should prioritize patching the two vulnerabilities CVE-2025-6704 and 7624, as they are the most dangerous pre-auth RCE vulnerabilities recorded in the campaign. The early deployment of the hotfix has reduced the risk, but continuous monitoring is necessary, especially for email configurations and HA.

Sophos urges patching of critical vulnerabilities, allowing attackers to control the system remotely