Critical Security Flaws in Sophos Firewall and SonicWall SMA 100 Series: What You Need to Know

On July 24, 2025, cybersecurity experts raised alarms regarding critical vulnerabilities in Sophos Firewall and Secure Mobile Access (SMA) 100 Series appliances. These flaws pose significant risks, potentially allowing attackers to execute remote code, thereby compromising the integrity and security of affected systems. This article delves into the details of these vulnerabilities, their implications, and recommended actions for organizations to safeguard their networks.

Overview of the Vulnerabilities

Sophos has identified two primary vulnerabilities affecting its firewall products:

1. CVE-2025-6704 (CVSS score: 9.8) – This vulnerability is linked to an arbitrary file writing issue within the Secure PDF eXchange (SPX) feature. If specific configurations are enabled, particularly in High Availability (HA) mode, it can lead to pre-authentication remote code execution.

2. CVE-2025-7624 (CVSS score: 9.8) – This SQL injection vulnerability exists in the legacy (transparent) SMTP proxy. It can also lead to remote code execution, especially if a quarantining policy is active for Email and the Sophos Firewall Operating System (SFOS) was upgraded from a version older than 21.0 GA.

Impact Assessment

According to Sophos, CVE-2025-6704 affects approximately 0.05% of devices, while CVE-2025-7624 impacts around 0.73%. Both vulnerabilities have been addressed, alongside a high-severity command injection vulnerability in the WebAdmin component (CVE-2025-7382, CVSS score: 8.8). This command injection flaw could result in pre-auth code execution on HA auxiliary devices if One-Time Password (OTP) authentication for the admin user is enabled.

In addition to these, two other vulnerabilities were patched:

• CVE-2024-13974 (CVSS score: 8.1) – A business logic vulnerability in the Up2Date component that could allow attackers to control the firewall’s DNS environment for remote code execution.

• CVE-2024-13973 (CVSS score: 6.8) – A post-auth SQL injection vulnerability in WebAdmin that could enable administrators to execute arbitrary code.

Versions Affected

The vulnerabilities affect various versions of Sophos Firewall:

• CVE-2024-13974 and CVE-2024-13973: Affects Sophos Firewall v21.0 GA (21.0.0) and older.
• CVE-2025-6704, CVE-2025-7624, and CVE-2025-7382: Affects Sophos Firewall v21.5 GA (21.5.0) and older.

SonicWall SMA 100 Series Vulnerability

In parallel, SonicWall disclosed a critical vulnerability in the SMA 100 Series web management interface (CVE-2025-40599, CVSS score: 9.1). This flaw allows a remote attacker with administrative privileges to upload arbitrary files, potentially leading to remote code execution. The vulnerability affects SMA 100 Series products, including SMA 210, 410, and 500v, and has been addressed in version 10.2.2.1-90sv.

Threat Landscape

While SonicWall has indicated that this vulnerability has not yet been exploited, a recent report from the Google Threat Intelligence Group (GTIG) highlighted the activities of a threat actor known as UNC6148. This group has been observed leveraging fully-patched SMA 100 Series devices to deploy a backdoor named OVERSTEP, emphasizing the urgency for organizations to act.

Recommended Actions for Organizations

To mitigate the risks associated with these vulnerabilities, organizations using Sophos Firewall and SMA 100 Series devices should take the following steps:

1. Apply Patches: Ensure that all devices are updated to the latest firmware versions that address the identified vulnerabilities.

2. Disable Remote Management Access: Turn off remote management access on the external-facing interface (X1) to minimize the attack surface.

3. Reset Passwords: Reset all passwords and reinitialize OTP binding for users and administrators on the appliance.

4. Enforce Multi-Factor Authentication (MFA): Implement MFA for all users to enhance security.

5. Enable Web Application Firewall (WAF): Activate WAF on SMA 100 devices to provide an additional layer of protection.

6. Review Logs and Connection History: Regularly check appliance logs and connection history for any anomalies or signs of unauthorized access.

7. Backup and Reinstall: For organizations using the SMA 500v virtual product, it is crucial to back up the OVA file, export the configuration, remove the existing virtual machine and associated disks, reinstall the new OVA from SonicWall, and restore the configuration.

Conclusion

The recent vulnerabilities discovered in Sophos Firewall and SonicWall SMA 100 Series appliances highlight the ongoing challenges in network security. Organizations must remain vigilant, promptly apply patches, and adopt best practices to protect their systems from potential exploits. By taking proactive measures, businesses can significantly reduce their risk and enhance their overall cybersecurity posture.