Urgent: Sophos and SonicWall Fix Critical RCE Vulnerabilities in Firewalls and SMA 100 Devices

Security Alert: Critical Vulnerabilities Found in Sophos and SonicWall Products

Sophos Firewall and Secure Mobile Access 100 Series at Risk

Recent disclosures have highlighted significant security vulnerabilities within Sophos Firewall and the Secure Mobile Access (SMA) 100 Series appliances. Both issues could potentially allow unauthorized users to gain remote code execution, posing a severe threat to device security.

Key Vulnerabilities in Sophos Firewall

Two critical vulnerabilities impacting Sophos Firewall have been identified:

• CVE-2025-6704 (CVSS Score: 9.8): This flaw pertains to an arbitrary file writing issue in the Secure PDF eXchange (SPX) feature. If SPX is configured under specific conditions while the firewall operates in High Availability (HA) mode, attackers could exploit this vulnerability to execute code remotely without prior authentication.

• CVE-2025-7624 (CVSS Score: 9.8): This vulnerability is an SQL injection issue tied to the legacy (transparent) SMTP proxy. When a quarantining policy is in effect for email, and the Sophos Firewall Operating System (SFOS) has been upgraded from a version older than 21.0 GA, attackers could similarly achieve remote code execution.

Impact Assessment

According to Sophos, CVE-2025-6704 affects roughly 0.05% of devices, while CVE-2025-7624 has a broader reach, impacting about 0.73%. In addition to these issues, a command injection vulnerability within the WebAdmin interface was identified:

• CVE-2025-7382 (CVSS Score: 8.8): This high-severity flaw could allow an unauthenticated user to execute code on HA auxiliary devices, provided that One-Time Password (OTP) authentication is enabled for the admin user.

Additional Vulnerabilities Fixed

In tandem with addressing the above issues, Sophos also patched two other vulnerabilities:

• CVE-2024-13974 (CVSS Score: 8.1): This business logic flaw within the Up2Date component can allow attackers to manipulate the firewall’s DNS settings to achieve remote code execution.

• CVE-2024-13973 (CVSS Score: 6.8): This post-authentication SQL injection vulnerability in WebAdmin can provide privileged administrators the avenue to execute arbitrary code.

These vulnerabilities affect various versions of Sophos Firewall, including those older than version 21.0 GA and those running version 21.5 GA or older for the newly identified vulnerabilities.

SonicWall’s Critical Bug Disclosure

In a related development, SonicWall has reported a major vulnerability in the SMA 100 Series web management interface:

• CVE-2025-40599 (CVSS Score: 9.1): An attacker with administrative access could exploit this flaw to upload arbitrary files, potentially leading to remote code execution. This vulnerability is particularly concerning as it impacts models such as SMA 210, 410, and 500v.

Although SonicWall states that this vulnerability has not been actively exploited, there are alarming reports from Google’s Threat Intelligence Group indicating that a threat actor named UNC6148 has been utilizing fully-patched SMA 100 series devices to deploy a backdoor known as OVERSTEP.

Recommended Security Measures

To mitigate risks, both Sophos and SonicWall have recommended several critical measures for affected users:

1. Disable Remote Management Access: Users should turn off remote management on the external-facing interface (X1) to minimize exposure.

2. Reset Passwords: It’s crucial for all users and administrators to reset their passwords and re-establish OTP binding on the devices.

3. Implement Multi-Factor Authentication (MFA): Organizations should enforce MFA for all users to bolster security.

4. Enable Web Application Firewall (WAF): Activating WAF on SMA 100 series devices can provide an additional layer of protection.

5. Review Logs: Organizations should examine appliance logs and connection histories to identify any unusual activities or signs of unauthorized access.

Maintenance Steps for SMA 500v Users

For those utilizing the SMA 500v virtual product, it is essential to take further steps to ensure security. These include backing up the OVA file, exporting configurations, and completely removing the existing virtual machine along with its associated disks and snapshots. Users should then install the new OVA from SonicWall using a hypervisor before restoring the configuration.

In light of these vulnerabilities, organizations are urged to act swiftly to safeguard their network security infrastructure and ensure the integrity of their devices.