Urgent Cybersecurity Alert: Critical Sophos Firewall Vulnerabilities Expose Organizations to Pre-Authentication RCE

Organizations relying on Sophos Firewall products face a severe and immediate threat. Recent disclosures reveal a cluster of critical vulnerabilities, including two enabling pre-authentication Remote Code Execution (RCE). These flaws could allow unauthenticated attackers to compromise systems without needing valid credentials, presenting a direct pathway for significant data breaches and network disruptions. As cybersecurity experts, our analysis confirms the gravity of these findings, urging all Sophos Firewall users to verify their patch status.

Understanding the Threat: Pre-Authentication Remote Code Execution

Pre-authentication Remote Code Execution is among the most dangerous vulnerability types. It signifies that an attacker can execute arbitrary code on a target system simply by sending specially crafted network packets, without any prior authentication. This bypasses traditional security layers like usernames and passwords, making the attack surface wide and the potential impact devastating. For Sophos Firewall users, this means a direct threat to network perimeter security, potentially allowing attackers to gain a foothold within internal networks.

The Identified Vulnerabilities: A Closer Look

The reported vulnerabilities collectively impact various Sophos Firewall configurations running version 21.5 GA and older. While hotfixes have been automatically deployed for the most critical issues, understanding the specific CVEs is crucial for comprehensive risk assessment:

• CVE-2025-6704: This vulnerability is one of the two identified pre-authentication RCE flaws. Its exploitation could lead to complete system compromise.
• CVE-2025-7624: The second pre-authentication RCE vulnerability, posing an equally severe risk to unpatched Sophos systems.
• CVE-2025-7382: While not explicitly stated as RCE, this vulnerability contributes to the overall risk profile, potentially enabling other forms of attack or privilege escalation.
• CVE-2024-13974: Another critical flaw requiring immediate attention due to its potential impact on firewall integrity.
• CVE-2024-13973: The final vulnerability in this cluster, contributing to the broader attack surface if left unaddressed.

The presence of two distinct pre-authentication RCE vulnerabilities underscores the urgency of remediation efforts. Sophos’s rapid deployment of automatic hotfixes is a positive step, but verification remains paramount.

Affected Versions and Configurations

These vulnerabilities primarily affect Sophos Firewall versions 21.5 GA and earlier. The specific impact can vary depending on the firewall’s configuration and enabled services. Organizations running any Sophos Firewall appliance should assume they are potentially vulnerable until verified otherwise.

Remediation Actions: Immediate Steps for Sophos Firewall Users

Given the severity of these vulnerabilities, immediate action is critical. Sophos has initiated automatic hotfix deployments, but administrators must confirm successful application.

• Verify Hotfix Application: Log into your Sophos Firewall administration interface and check the firmware version and patch level. Ensure that the hotfixes addressing these CVEs have been successfully applied. If automatic updates are disabled, manually apply the latest firmware updates immediately.
• Isolate Vulnerable Systems (If Not Patched): If, for any reason, a firewall cannot be immediately patched, consider isolating it from public internet access. Restrict administrative access to trusted internal networks only.
• Review Network Access Policies: Audit your firewall rules and ensure that only strictly necessary ports and services are exposed to the internet. Minimize the attack surface as much as possible.
• Monitor Logs for Suspicious Activity: Enhance monitoring of Sophos Firewall logs for any unusual connection attempts, failed logins, or unexpected process executions. Correlate with other security logs.
• Implement Multi-Factor Authentication (MFA): While these are pre-auth vulnerabilities, strong authentication for all management interfaces remains a best practice to mitigate potential post-exploitation lateral movement.
• Perform Regular Vulnerability Scans: Use vulnerability scanning tools to regularly assess your network perimeter for exposed services and known vulnerabilities.

Tools for Detection and Mitigation Verification

While Sophos has provided hotfixes, security professionals should leverage various tools to confirm mitigation and ongoing security posture:

Tool Name	Purpose	Link
Nmap	Network scanning for open ports and services, helping to identify exposure.	https://nmap.org/
OpenVAS/Greenbone Vulnerability Manager	Comprehensive vulnerability scanning and management.	https://www.greenbone.net/
Nessus	Enterprise-grade vulnerability assessment solution.	https://www.tenable.com/products/nessus
Sophos Firewall Management Console	Direct verification of firmware version and hotfix status.	(Accessed via your specific firewall’s IP address)

Conclusion: Prioritizing Perimeter Security

The discovery of multiple critical vulnerabilities, including pre-authentication RCE, in Sophos Firewall products serves as a stark reminder of the continuous challenges in perimeter security. Organizations must prioritize immediate verification of hotfix application and maintain a proactive security posture. Regularly updating firewalls, minimizing external exposure, and comprehensive log monitoring are non-negotiable practices for defending against sophisticated cyber threats. Stay vigilant, stay secure.