Listen to this Post
Dangerous Bugs Uncovered in Sophos Firewall:
In a major cybersecurity alert, Sophos has publicly disclosed five serious security vulnerabilities affecting its Firewall product line. Two of these have been categorized as critical, capable of allowing remote code execution without authentication. Though the impacted device count is small, the nature of these flaws makes them a serious threat, especially in enterprise or government settings. Sophos released the advisory on July 21, 2025, urging users to confirm hotfix installation or upgrade outdated systems. The vulnerabilities were discovered and reported responsibly, some through bug bounty programs and others by the UK’s National Cyber Security Centre (NCSC). So far, there’s no evidence of these bugs being exploited in the wild, thanks in part to rapid hotfix deployment. However, the potential risk remains high for organizations using legacy systems or with misconfigured installations. This news underlines how even minimal exposure can pose a massive cybersecurity hazard.
Critical Flaws Summarized: What’s at Stake for Sophos Firewall Users
Sophos’ latest security advisory reveals five different vulnerabilities across their Firewall products. Among them, two stand out for their severity—CVE-2025-6704 and CVE-2025-7624—both rated as critical due to their ability to enable remote code execution without requiring any user authentication.
CVE-2025-6704 is a flaw in the Secure PDF eXchange (SPX) feature, particularly dangerous when paired with High Availability (HA) mode. This vulnerability affects just 0.05% of devices but poses significant risks due to its ability to let attackers write arbitrary files and gain remote control.
The second critical issue, CVE-2025-7624, is an SQL injection vulnerability found in the legacy transparent SMTP proxy. It impacts up to 0.73% of devices, especially those upgraded from older software versions and running specific quarantining policies. Both of these critical bugs were reported through Sophos’ bug bounty program, highlighting the role of ethical hackers in modern cybersecurity.
Three more vulnerabilities were also disclosed:
CVE-2025-7382: A high-severity command injection bug in the WebAdmin interface, exploitable when one-time password (OTP) authentication is enabled. Around 1% of specific configurations are vulnerable.
CVE-2024-13974: A business logic flaw in the Up2Date system that lets attackers manipulate DNS to execute code. This was responsibly disclosed by the UK’s NCSC.
CVE-2024-13973: A medium-severity SQL injection flaw within WebAdmin that allows administrators to run arbitrary code.
Sophos moved fast, deploying automatic hotfixes to affected systems as early as January 2025, with the most recent patches applied in July 2025. Customers with the default “Allow automatic installation of hotfixes” setting had nothing to do manually. Fortunately, there’s been no evidence of active exploitation, pointing to the effectiveness of Sophos’ patch management and disclosure strategies. However, the threat remains for users running outdated or misconfigured versions, and upgrading remains critical.
What Undercode Say:
Dissecting the Risks Behind the Sophos Firewall Vulnerabilities
This incident once again underscores the fragile balance between functionality and security in enterprise firewall solutions. While Sophos remains a leading name in network defense, the exposure of five vulnerabilities—two of which are pre-authentication remote code execution flaws—is cause for concern in high-risk industries like healthcare, finance, and government.
Remote Code Execution Without Credentials:
The sheer gravity of CVE-2025-6704 and CVE-2025-7624 lies in their ability to compromise systems with no credentials required. Attackers could, in theory, take over systems from outside the network perimeter, turning the firewall itself into a threat vector. The fact that CVE-2025-6704 affects just 0.05% of devices does little to lessen its risk—it only takes one vulnerable instance in a sensitive network to trigger a major breach.
Legacy Software, Modern Problems:
CVE-2025-7624 highlights the ongoing issue of organizations clinging to legacy configurations. This vulnerability specifically targets systems that were upgraded from older versions but didn’t adapt their configurations to new security frameworks. This is a textbook example of how half-measures in system upgrades can backfire.
Critical Infrastructure in the Crosshairs:
The vulnerabilities involving WebAdmin (CVE-2025-7382 and CVE-2024-13973) show how attackers can exploit even administrative interfaces, especially when security protocols like OTP are misconfigured or weakly implemented. In an era where cloud-based centralized management is becoming standard, misconfigured admin ports could be a goldmine for attackers.
Role of Responsible Disclosure:
Sophos’ coordination with ethical hackers and the UK’s NCSC is a win for transparency and responsible vulnerability management. This cooperation ensured that bugs were fixed before any public exploitation was discovered. But this also raises a bigger question: how many vendors fail to receive or act on similar disclosures in time?
Automated Hotfixing as a Defense Strategy:
One of the smartest moves by Sophos was its automatic hotfix system. In a fast-moving threat landscape, relying on users to apply patches manually is a gamble. Sophos’ automated approach minimized exposure and proved its worth during this incident.
Geopolitical Implications:
State-sponsored cyber actors often look for high-value, low-effort vulnerabilities—precisely what pre-authentication RCE bugs offer. With rising geopolitical tensions, especially involving critical infrastructure and global surveillance, even a 0.05% exposure window can become a nation-state entry point.
Vendor Trust and Long-Term Confidence:
Incidents like these test customer trust. While Sophos handled this response well, repeated exposures or delays in patch deployment could erode its market reputation. Enterprises might start diversifying their firewall providers or opt for zero-trust architectures with microsegmentation to avoid total compromise in such events.
Lessons for the Industry:
The takeaway here isn’t limited to Sophos users. All firewall vendors and users must recognize the dangers of:
Enabling legacy or unused services
Relying on outdated hardware/software combinations
Failing to validate third-party configurations
Security posture isn’t just about defenses—it’s about maintenance and foresight.
🔍 Fact Checker Results:
✅ CVE-2025-6704 and CVE-2025-7624 are officially rated critical by Sophos
✅ Hotfixes have been deployed automatically since June and July 2025
✅ No active exploitation detected as of July 21, 2025
📊 Prediction:
🔮 Given the nature of these vulnerabilities, we anticipate that attackers will begin scanning for unpatched Sophos Firewalls in the coming months.
🔒 Organizations slow to upgrade from legacy configurations will become prime targets, especially small enterprises with lax patching procedures.
📈 Expect vendors to push more aggressive auto-update policies and introduce smarter monitoring systems to detect similar bugs in the future.
References:
Reported By: cyberpress.org
Extra Source Hub:
https://www.discord.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
