Sophos and SonicWall have alerted users of critical security flaws in Sophos Firewall and Secure Mobile Access (SMA) 100 Series appliances that could be exploited to achieve remote code execution.
The two vulnerabilities impacting Sophos Firewall are listed below –
- CVE-2025-6704 (CVSS score: 9.8) – An arbitrary file writing vulnerability in the Secure PDF eXchange (SPX) feature can lead to pre-auth remote code execution, if a specific configuration of SPX is enabled in combination with the firewall running in High Availability (HA) mode
- CVE-2025-7624 (CVSS score: 9.8) – An SQL injection vulnerability in the legacy (transparent) SMTP proxy can lead to remote code execution, if a quarantining policy is active for Email and SFOS was upgraded from a version older than 21.0 GA
Sophos said CVE-2025-6704 affects about 0.05% of devices, while CVE-2025-7624 impacts as many as 0.73% of devices. Both vulnerabilities have been addressed alongside a high-severity command injection vulnerability in the WebAdmin component (CVE-2025-7382, CVSS score: 8.8) that could result in pre-auth code execution on High Availability (HA) auxiliary devices, if OTP authentication for the admin user is enabled.
Also patched by the company are two other vulnerabilities –
- CVE-2024-13974 (CVSS score: 8.1) – A business logic vulnerability in the Up2Date component can lead to attackers controlling the firewall’s DNS environment to achieve remote code execution
- CVE-2024-13973 (CVSS score: 6.8) – A post-auth SQL injection vulnerability in WebAdmin can potentially lead to administrators achieving arbitrary code execution
The U.K. National Cyber Security Centre (NCSC) has been credited with discovering and reporting both CVE-2024-13974 and CVE-2024-13973. The issues affect the following versions –
- CVE-2024-13974 – Affects Sophos Firewall v21.0 GA (21.0.0) and older
- CVE-2024-13973 – Affects Sophos Firewall v21.0 GA (21.0.0) and older
- CVE-2025-6704 – Affects Sophos Firewall v21.5 GA (21.5.0) and older
- CVE-2025-7624 – Affects Sophos Firewall v21.5 GA (21.5.0) and older
- CVE-2025-7382 – Affects Sophos Firewall v21.5 GA (21.5.0) and older
The disclosure comes as SonicWall detailed a critical bug in the SMA 100 Series web management interface (CVE-2025-40599, CVSS score: 9.1) that a remote attacker with administrative privileges can exploit to upload arbitrary files and potentially achieve remote code execution.
The flaw impacts SMA 100 Series products (SMA 210, 410, 500v) and has been addressed in version 10.2.2.1-90sv.
SonicWall also pointed out that while the vulnerability has not been exploited, there exists a potential risk in light of a recent report from the Google Threat Intelligence Group (GTIG), which found evidence of a threat actor dubbed UNC6148 leveraging fully-patched SMA 100 series devices to deploy a backdoor called OVERSTEP.
Besides applying the fixes, the company is also recommending that customers of SMA 100 Series devices carry out the following steps –
- Disable remote management access on the external-facing interface (X1) to reduce the attack surface
- Reset all passwords and reinitialize OTP (One-Time Password) binding for users and administrators on the appliance
- Enforce multi-factor authentication (MFA) for all users
- Enable Web Application Firewall (WAF) on SMA 100
Organizations using SMA 100 Series devices are also advised to review appliance logs and connection history for anomalies and check for any signs of unauthorized access.
Organizations using the SMA 500v virtual product are required to backup the OVA file, export the configuration, remove the existing virtual machine and all associated virtual disks and snapshots, reinstall the new OVA from SonicWall using a hypervisor, and restore the configuration.
