Sophos and SonicWall warn users of the Sophos Firewall’s critical security flaws and Secure Mobile Access (SMA) 100 Series appliances that can be exploited to achieve remote code execution.
Below is a list of two vulnerabilities affecting the Sophos firewall –
- CVE-2025-6704 (CVSS Score: 9.8) – SCURE PDF Exchange (SPX) feature vulnerability A write vulnerability for any file can lead to AUTH remote code execution beforehand when certain SPX configurations are enabled in conjunction with a firewall running in high availability (HA) mode.
- CVE-2025-7624 (CVSS Score: 9.8) – A SQL Injection vulnerability in Legacy (transparency) SMTP Proxy can lead to remote code execution if the email quarantine policy is active and SFO is upgraded from a version of 21.0 or higher.
According to Sophos, CVE-2025-6704 affects about 0.05% of devices, while CVE-2025-7624 affects 0.73% of devices. Both vulnerabilities are addressed along with high strength command injection vulnerabilities in the WebAdmin component (CVE-2025-7382, CVSS score: 8.8).
Also, patching by the company is two other vulnerabilities –
- CVE-2024-13974 (CVSS score: 8.1) – Business logic vulnerability in the UP2Date component could lead to attackers controlling the DNS environment of the firewall to enable remote code execution
- CVE-2024-13973 (CVSS score: 6.8) – A SQL injection vulnerability after AUTH in WebAdmin could potentially allow administrators to achieve arbitrary code execution
The UK National Cybersecurity Centre (NCSC) is acknowledged to have discovered and reported both CVE-2024-13974 and CVE-2024-13973. The problem affects the next version –
- CVE-2024-13974-Sophos Firewall v21.0 Affects Ga (21.0.0) and above
- CVE-2024-13973-Sophos Firewall V21.0 GA (21.0.0) and above impact
- CVE-2025-6704-Affected Sophos Firewall v21.5 GA (21.5.0) and above
- CVE-2025-7624-Sophos Firewall v21.5 GA (21.5.0) and above impact
- CVE-2025-7382-Sophos Firewall v21.5 GA (21.5.0) and above impact
SonicWall is disclosed as detailed in the SMA 100 Series Web Management Interface (CVE-2025-40599, CVSS score: 9.1).
The defect affects SMA 100 series products (SMA 210, 410, 500V) and is addressed in versions 10.2.2.1-90SV.
Sonicwall also noted that the vulnerability has not been exploited, but there are potential risks in light of recent reports from the Google Threat Intelligence Group (GTIG). Overstep.
In addition to applying the fix, the company recommends that customers of SMA 100 series devices follow these steps –
- Disable remote management access for externally directed interfaces (x1) to reduce attack surface
- Reset all passwords and re-post OTP (one-time password) bindings for appliance users and administrators
- Forces Multifactor Authentication (MFA) on all users
- Enable Web Application Firewall (WAF) on SMA 100
Organizations using SMA 100 Series devices are also recommended to check appliance logs and connection history for abnormalities and for indications of unauthorized access.
Organizations using SMA 500V virtual products are required to back up OVA files, export configurations, remove existing virtual machines and all associated virtual disks and snapshots, reinstall new OVAs from SonicWall using a hypervisor, and restore configurations.
