Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: Multiple Vulnerabilities in Sophos Firewall, Patch Immediately!
Image
Published : 26/07/2025
- Last update: 25/07/2025
- Affected software:
→ Sophos Firewall v21.0 GA (21.0.0) and older
→ Sophos Firewall v21.5 GA (21.5.0) and older- Type: OS Command Injection & SQL Injection & Remote Code Execution
- CVE/CVSS
→ CVE-2025-6704: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
→ CVE-2025-6704: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
→ CVE-2025-6704: CVSS 8.8 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
→ CVE-2025-6704: CVSS 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
→ CVE-2025-6704: CVSS 6.8 (CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Sources
Sophos - https://www.sophos.com/en-us/security-advisories/sophos-sa-20250721-sfos-rce
Risks
Multiple critical vulnerabilities in Sophos Firewall – including versions with legacy SPX, SMTP proxy, and WebAdmin components – allow attackers to execute unauthorized code, inject malicious commands, and manipulate DNS and SQL layers in specific configurations.
Sophos Firewall is a next-generation firewall widely deployed by organizations to enforce network segmentation, email protection, and secure administrative access. It acts as a frontline defence for enterprise networks, enabling secure communication, threat prevention, and policy enforcement.
If exploited, these vulnerabilities could lead to unauthorized remote code execution, OS command injection, SQL injection, allowing attackers to bypass security controls, steal sensitive data, and disrupt core operations. The impact spans confidentiality, integrity, and availability risking data breaches, full system compromise, and operational downtime.
Description
A set of critical security vulnerabilities have been identified in Sophos Firewall, impacting multiple components and configurations. These flaws enable remote code execution (RCE), arbitrary file writes, SQL injection, and command injection, potentially allowing attackers to compromise confidentiality, integrity, and availability of affected systems.
CVE-2025-6704 (CVSS 9.8) – An arbitrary file write vulnerability in the Secure PDF eXchange (SPX) feature can lead to pre-auth RCE when combined with High Availability (HA) mode and specific SPX configurations.
CVE-2025-7624 (CVSS 9.8) – A critical SQL injection in the legacy SMTP proxy can lead to unauthenticated RCE, if a quarantine policy is active and the system was upgraded from versions prior to 21.0 GA.
CVE-2025-7382 (CVSS 8.8) – A command injection flaw in WebAdmin may allow adjacent attackers to achieve pre-auth code execution on HA auxiliary devices when OTP is enabled for admin login.
CVE-2024-13974 (CVSS 8.1) – A business logic vulnerability in the Up2Date component can be exploited to manipulate DNS behavior and achieve remote code execution, potentially impacting system integrity and firewall control.
CVE-2024-13973 (CVSS 6.8) – A post-auth SQL injection in WebAdmin enables trusted admin users to perform arbitrary code execution, increasing risk of insider misuse or session hijacking.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.