Sophos and SonicWall have alerted customers of vital security flaws in Sophos Firewall and Safe Cellular Entry (SMA) 100 Sequence home equipment that may very well be exploited to attain distant code execution.
The 2 vulnerabilities impacting Sophos Firewall are listed beneath –
- CVE-2025-6704 (CVSS rating: 9.8) – An arbitrary file writing vulnerability within the Safe PDF eXchange (SPX) characteristic can result in pre-auth distant code execution, if a selected configuration of SPX is enabled together with the firewall working in Excessive Availability (HA) mode
- CVE-2025-7624 (CVSS rating: 9.8) – An SQL injection vulnerability within the legacy (clear) SMTP proxy can result in distant code execution, if a quarantining coverage is lively for E mail and SFOS was upgraded from a model older than 21.0 GA
Sophos mentioned CVE-2025-6704 impacts about 0.05% of gadgets, whereas CVE-2025-7624 impacts as many as 0.73% of gadgets. Each vulnerabilities have been addressed alongside a high-severity command injection vulnerability within the WebAdmin element (CVE-2025-7382, CVSS rating: 8.8) that would lead to pre-auth code execution on Excessive Availability (HA) auxiliary gadgets, if OTP authentication for the admin consumer is enabled.
Additionally patched by the corporate are two different vulnerabilities –
- CVE-2024-13974 (CVSS rating: 8.1) – A enterprise logic vulnerability within the Up2Date element can result in attackers controlling the firewall’s DNS setting to attain distant code execution
- CVE-2024-13973 (CVSS rating: 6.8) – A post-auth SQL injection vulnerability in WebAdmin can doubtlessly result in directors attaining arbitrary code execution
The U.Okay. Nationwide Cyber Safety Centre (NCSC) has been credited with discovering and reporting each CVE-2024-13974 and CVE-2024-13973. The problems have an effect on the next variations –
- CVE-2024-13974 – Impacts Sophos Firewall v21.0 GA (21.0.0) and older
- CVE-2024-13973 – Impacts Sophos Firewall v21.0 GA (21.0.0) and older
- CVE-2025-6704 – Impacts Sophos Firewall v21.5 GA (21.5.0) and older
- CVE-2025-7624 – Impacts Sophos Firewall v21.5 GA (21.5.0) and older
- CVE-2025-7382 – Impacts Sophos Firewall v21.5 GA (21.5.0) and older
The disclosure comes as SonicWall detailed a vital bug within the SMA 100 Sequence net administration interface (CVE-2025-40599, CVSS rating: 9.1) {that a} distant attacker with administrative privileges can exploit to add arbitrary recordsdata and doubtlessly obtain distant code execution.
The flaw impacts SMA 100 Sequence merchandise (SMA 210, 410, 500v) and has been addressed in model 10.2.2.1-90sv.
SonicWall additionally identified that whereas the vulnerability has not been exploited, there exists a possible danger in mild of a latest report from the Google Risk Intelligence Group (GTIG), which discovered proof of a menace actor dubbed UNC6148 leveraging fully-patched SMA 100 collection gadgets to deploy a backdoor known as OVERSTEP.
In addition to making use of the fixes, the corporate can be recommending that clients of SMA 100 Sequence gadgets perform the next steps –
- Disable distant administration entry on the external-facing interface (X1) to scale back the assault floor
- Reset all passwords and reinitialize OTP (One-Time Password) binding for customers and directors on the equipment
- Implement multi-factor authentication (MFA) for all customers
- Allow Net Software Firewall (WAF) on SMA 100
Organizations utilizing SMA 100 Sequence gadgets are additionally suggested to overview equipment logs and connection historical past for anomalies and verify for any indicators of unauthorized entry.
Organizations utilizing the SMA 500v digital product are required to backup the OVA file, export the configuration, take away the present digital machine and all related digital disks and snapshots, reinstall the brand new OVA from SonicWall utilizing a hypervisor, and restore the configuration.
