Sophos and SonicWall warn users of the Sophos Firewall’s critical security flaws and Secure Mobile Access (SMA) 100 Series appliances that can be exploited to achieve remote code execution.
Below is a list of two vulnerabilities affecting the Sophos firewall –
CVE-2025-6704 (CVSS Score: 9.8) – An arbitrary file write vulnerability in the secure PDF exchange (SPX) feature can lead to pre-AUTH remote code execution if certain configurations of SPX are enabled in combination with firewalls running in high availability (HA) mode CVE-2025-7624 (CVSS Score). Legacy (transparent) SMTP proxy can lead to remote code execution if the email quarantine policy is active and SFO is upgraded from a version above 21.0 GA.
According to Sophos, CVE-2025-6704 affects about 0.05% of devices, while CVE-2025-7624 affects 0.73% of devices. Both vulnerabilities are addressed along with high strength command injection vulnerabilities in the WebAdmin component (CVE-2025-7382, CVSS score: 8.8).
Also, patching by the company is two other vulnerabilities –
CVE-2024-13974 (CVSS score: 8.1) – A business logic vulnerability in the UP2DATE component could lead to attackers to control the DNS environment of the firewall to achieve remote code execution.
The UK National Cybersecurity Centre (NCSC) is acknowledged to have discovered and reported both CVE-2024-13974 and CVE-2024-13973. The problem affects the next version –
CVE-2024-13974 – Affecting Sophos Firewall V21.0 GA (21.0.0) and old CVE-2024-13973 – Affecting Sophos Firewall V21.0 GA (21.0.0) and old CVE-2025-6704 – Affecting Sophos Firewall v21.5 ga (21.5.025-7625-ga (21.5.0) Sophos Firewall v21.5 Ga (21.5.0) and old CVE-2025-7382 – Affecting Sophos Firewall V21.5 Ga (21.5.0) and Sophos Firewall V21.5 Ga (21.5.0) and Sophos Firewall V21.5 Ga (21.5.0) and Sophos Firewall V21.5 Ga (21.5.0) and Sophos Firewall V21.5 Ga (21.5.0)
SonicWall is disclosed as detailed in the SMA 100 Series Web Management Interface (CVE-2025-40599, CVSS score: 9.1).
The defect affects SMA 100 series products (SMA 210, 410, 500V) and is addressed in versions 10.2.2.1-90SV.
Sonicwall also noted that the vulnerability has not been exploited, but there are potential risks in light of recent reports from the Google Threat Intelligence Group (GTIG).
In addition to applying the fix, the company recommends that customers of SMA 100 series devices follow these steps –
Disable remote management access on the externally directed interface (x1) to reduce attack surface, reset all passwords, and reproduce OTP (one-time password) bindings for appliance users and administrators.
Organizations using SMA 100 Series devices are also recommended to check appliance logs and connection history for abnormalities and for indications of unauthorized access.
Organizations using SMA 500V virtual products are required to back up OVA files, export configurations, remove existing virtual machines and all associated virtual disks and snapshots, reinstall new OVAs from SonicWall using a hypervisor, and restore configurations.
Source link
