For organizations relying on robust network security, urgent news demands immediate attention: both Sophos and SonicWall have issued critical patches addressing severe remote code execution (RCE) vulnerabilities in their widely deployed firewall and Secure Mobile Access (SMA) 100 Series appliances. These flaws, if exploited, could grant attackers deeply intrusive access, compromising sensitive data and operational integrity.

Understanding the Critical Flaws: Sophos Firewall

Sophos users, particularly those leveraging the Sophos Firewall (formerly XG Firewall), must prioritize these updates. The two specific vulnerabilities identified are:

• CVE-2025-6704 (CVSS score: 9.8): This vulnerability stems from an arbitrary file writing capability within Sophos Firewall’s Secure PDF eXchange (SPX) feature. A successful exploit could lead to remote code execution, effectively allowing an attacker to run malicious code on the firewall itself with high privileges. The CVSS score of 9.8 underscores the extreme severity and ease of exploitation of this flaw.
• CVE-2025-6705 (CVSS score: 7.5): Affecting some versions of Sophos Firewall, this is an arbitrary command execution vulnerability. While slightly lower in severity than CVE-2025-6704, a CVSS score of 7.5 still indicates a high-risk flaw that could facilitate significant compromise. An attacker leveraging this vulnerability could execute commands on the device, potentially leading to system compromise or data exfiltration.

These vulnerabilities are particularly concerning as they target the very devices designed to protect network perimeters, making them highly attractive targets for adversaries.

SonicWall’s Urgent SMA 100 Series Patch

Not to be overlooked, SonicWall has also released patches for its Secure Mobile Access (SMA) 100 Series appliances. While specific CVE details for SonicWall were not immediately available in the provided source, the alert from The Hacker News explicitly states that the flaws could lead to remote code execution. This implies potential impact on secure remote access capabilities, VPN connections, and overall network segmentation. Organizations using SMA 100 Series devices for remote access, identity management, or application delivery should treat this information with extreme urgency.

Impact and Threat Landscape

Remote Code Execution (RCE) vulnerabilities are among the most dangerous types of security flaws. They allow attackers to execute arbitrary commands on a target system, often with elevated privileges. In the context of firewalls and secure access gateways, successful RCE exploitation could lead to:

• Network Compromise: Attackers gain a foothold within the organizational network, enabling lateral movement and access to internal systems.
• Data Exfiltration: Sensitive data stored on or accessible through the compromised device could be stolen.
• Disruption of Services: Malware deployment, denial of service attacks, or complete device bricking.
• Espionage: Covert monitoring of network traffic and communications.
• Ransomware Deployment: Using the compromised firewall as an entry point for broader ransomware campaigns.

Given the widespread adoption of Sophos and SonicWall products in enterprise environments, these vulnerabilities represent significant attack vectors for cybercriminals and state-sponsored actors alike.

Remediation Actions and Best Practices

Immediate action is imperative to mitigate the risks posed by these critical vulnerabilities. Here are the recommended steps:

• Patch Immediately: For Sophos Firewall users, apply the latest updates released by Sophos that address CVE-2025-6704 and CVE-2025-6705. SonicWall SMA 100 Series users must also apply the latest patches available from SonicWall. Consult the official vendor advisories and support portals for precise patch versions and upgrade instructions.
• Verify Patch Application: After applying updates, verify that the patches have been successfully installed and the vulnerabilities are no longer present.
• Review Logs and Monitor Activity: Scrutinize firewall logs, intrusion detection/prevention system (IDS/IPS) alerts, and SIEM data for any unusual activity prior to or after the patching process. Look for failed login attempts, unexpected connections, or unusual resource utilization.
• Segment Networks: Employ network segmentation to limit the blast radius if a perimeter device is compromised.
• Implement Least Privilege: Ensure that all network devices and user accounts operate with the principle of least privilege.
• Conduct Regular Vulnerability Scanning: Use vulnerability scanners to identify unpatched systems and other potential weaknesses in your infrastructure.
• Backup Configurations: Always back up device configurations before applying significant updates.

Relevant Security Tools for Detection and Mitigation

Leveraging appropriate tools can significantly aid in identifying and managing vulnerabilities.

Tool Name	Purpose	Link
Nessus	Comprehensive vulnerability scanning and assessment.	Tenable Nessus
OpenVAS / Greenbone Vulnerability Management (GVM)	Open-source vulnerability scanning solution.	Greenbone.net
Snort / Suricata	Network intrusion detection/prevention systems (IDS/IPS) for detecting malicious traffic patterns.	Snort.org Suricata-IDS.org
Splunk / ELK Stack	SIEM (Security Information and Event Management) for centralized log analysis and threat hunting.	Splunk.com Elastic.co (ELK Stack)

Conclusion

The recent advisories from Sophos and SonicWall highlight the unrelenting need for vigilance in cybersecurity. Critical RCE flaws in perimeter devices like firewalls and SMA appliances represent severe threats that demand immediate patching. Organizations must prioritize applying vendor-supplied updates, reinforcing their security posture with proactive monitoring, and adhering to best practices in network security. Staying informed and responsive to such alerts is fundamental to maintaining a secure operational environment against evolving cyber threats.