Critical RCE Vulnerabilities Identified in Sophos Firewall and SMA 100 Devices: Urgent Patches Released by Sophos and SonicWall

July 24, 2025
Network Security / Vulnerability

Sophos and SonicWall have issued a warning regarding serious security flaws in Sophos Firewall and Secure Mobile Access (SMA) 100 Series appliances, which could be exploited for remote code execution. The two critical vulnerabilities affecting Sophos Firewall are as follows:

  • CVE-2025-6704 (CVSS score: 9.8): An arbitrary file writing vulnerability within the Secure PDF eXchange (SPX) feature that can enable pre-auth remote code execution if specific SPX configurations are used alongside firewall operation in High Availability (HA) mode.
  • CVE-2025-7624 (CVSS score: 9.8): An SQL injection vulnerability in the legacy (transparent) SMTP proxy that can result in remote code execution, contingent on an active quarantining policy for Email and if SFOS has been upgraded from a version prior to 21.0 GA.

Sophos reports that CVE-2025-6704 affects approximately 0.05% of devices, while CVE-2025-7624 impacts up to 0.73% of devices. Both vulnerabilities have been addressed in a recent update, along with a high-severity command injection vulnerability.

Sophos and SonicWall Address Critical RCE Vulnerabilities in Firewalls and SMA 100 Devices

On July 24, 2025, cybersecurity firms Sophos and SonicWall issued urgent security warnings regarding significant vulnerabilities discovered in the Sophos Firewall and Secure Mobile Access (SMA) 100 Series devices. The flaws present a critical risk, allowing potential remote code execution (RCE) that could severely compromise network security if exploited.

Two primary vulnerabilities were identified in Sophos Firewall, both possessing a high Common Vulnerability Scoring System (CVSS) score of 9.8, indicating an urgent requirement for remediation. The first, designated CVE-2025-6704, pertains to an arbitrary file write issue within the Secure PDF eXchange (SPX) feature. This vulnerability becomes especially dangerous when a specific configuration of SPX is activated alongside the firewall operating in High Availability (HA) mode. While Sophos reports that only about 0.05% of devices are affected by this flaw, the severity cannot be underestimated.

The second vulnerability, CVE-2025-7624, targets an SQL injection weakness in the legacy (transparent) SMTP proxy of the firewall. This issue is particularly critical for users who have an active quarantining policy for emails and have upgraded their systems from a version prior to 21.0 GA. Approximately 0.73% of devices could be impacted by this vulnerability, further underscoring the urgent need for a patch.

In response to these findings, Sophos has developed and deployed updates to mitigate these vulnerabilities, alongside addressing a high-severity command injection issue. The swift action taken by both Sophos and SonicWall highlights the seriousness of maintaining robust cybersecurity practices, particularly for businesses that rely on these tools for network security.

These vulnerabilities pose a significant threat to organizations that fail to update their systems promptly. Attackers employing tactics such as initial access via exploited vulnerabilities could leverage these weaknesses, as outlined in the MITRE ATT&CK framework. Techniques such as privilege escalation may also come into play, enabling further exploitation if an attacker gains access to the network environment.

While Sophos has indicated a relatively small percentage of affected devices, the pervasive nature of cyber threats means that even a small window of vulnerability can lead to larger-scale issues. Businesses are urged to consult their system logs, check their configurations, and ensure that recent updates are applied without delay. The landscape of cybersecurity is constantly evolving, and staying one step ahead is essential for risk mitigation.

As organizations increasingly pivot to remote work and cloud services, vulnerabilities like these serve as stark reminders of the security challenges that accompany technological advancements. Business owners must prioritize regular security assessments and updates to safeguard their operations against these persistent threats.

In summary, the recent disclosures surrounding Sophos Firewall and SMA 100 vulnerabilities reveal significant risks to network integrity. By understanding the implications of threat vectors and applying relevant updates, companies can better protect themselves in an increasingly hostile digital environment. Keeping abreast of such developments is crucial for any business leader dedicated to maintaining their cybersecurity posture.

Source link

Related Posts

Ivanti Addresses EPMM Vulnerabilities Leading to Remote Code Execution in Select Attacks

May 14, 2025
Vulnerability / Endpoint Security

Ivanti has issued security updates to remedy two vulnerabilities in its Endpoint Manager Mobile (EPMM) software, which have been exploited in limited attacks for remote code execution. The vulnerabilities include:

  • CVE-2025-4427 (CVSS score: 5.3) – An authentication bypass that enables attackers to access protected resources without valid credentials.
  • CVE-2025-4428 (CVSS score: 7.2) – A remote code execution vulnerability allowing arbitrary code execution on affected systems.

Exploiting these vulnerabilities could allow an attacker to chain them together to execute arbitrary code on a compromised device without authentication. The affected versions of the product are:

  • 11.12.0.4 and earlier (fixed in 11.12.0.5)
  • 12.3.0.1 and earlier (fixed in 12.3.0.2)
  • 12.4.0.1 and earlier (fixed in 12.4.0.2)
  • 12.5.0.0 and earlier (fixed in 12.5.0.1)

Ivanti has credited CERT-EU for reporting these vulnerabilities.

Fortinet Addresses CVE-2025-32756: Critical Zero-Day RCE Vulnerability in FortiVoice Systems

May 14, 2025
Vulnerability / Network Security

Fortinet has issued a fix for a severe security vulnerability exploited as a zero-day in attacks against FortiVoice enterprise phone systems. Identified as CVE-2025-32756, this flaw has a high CVSS score of 9.6 out of 10.0. According to the company’s advisory, “A stack-based overflow vulnerability [CWE-121] in FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera may enable a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted HTTP requests.” Fortinet has confirmed that the flaw has been actively exploited in the wild within FortiVoice systems, although details regarding the scope of the attacks and the identities of the attackers remain undisclosed. Notably, the attacker engaged in network scans of devices, deleted system crash logs, and enabled FCGI debugging to capture credentials from the system and SSH login attempts. The vulnerability impacts the following products and versions: FortiCamera 1.1, 2.0 (Update to a secure release recommended).

Microsoft Resolves 78 Vulnerabilities, Including 5 Actively Exploited Zero-Days; CVSS 10 Flaw Affects Azure DevOps Server

May 14, 2025
Endpoint Security / Vulnerability

Microsoft has released updates addressing 78 security vulnerabilities across its software, including five zero-days currently being exploited in the wild. Among these flaws, 11 are classified as Critical, 66 as Important, and one as Low in severity. The patches include 28 vulnerabilities that enable remote code execution, 21 related to privilege escalation, and 16 classified as information disclosure issues. This release also coincides with fixes for eight security flaws found in the Chromium-based Edge browser since last month’s Patch Tuesday. The details of the actively exploited vulnerabilities are as follows:

  • CVE-2025-30397 (CVSS score: 7.5) – Scripting Engine Memory Corruption Vulnerability
  • CVE-2025-30400 (CVSS score: 7.8) – Microsoft Desktop Window Manager (DWM) Core Library Elevation of Privilege Vulnerability
  • CVE-2025-3270…

Samsung Addresses CVE-2025-4632, Exploited in the Wild for Mirai Botnet Deployment Through MagicINFO 9 Vulnerability

May 14, 2025
Vulnerability / Malware

Samsung has issued software updates to fix a critical security vulnerability in MagicINFO 9 Server that has been actively targeted. Identified as CVE-2025-4632 (CVSS score: 9.8), this path traversal flaw allows attackers to write arbitrary files with system-level permissions. According to the advisory, the vulnerability arises from “improper limitation of a pathname to a restricted directory” in versions before 21.1052 of the MagicINFO 9 Server. Notably, CVE-2025-4632 serves as a patch bypass for a previously addressed vulnerability, CVE-2024-7399, which was mitigated by Samsung in August 2024. Shortly after a proof-of-concept was released by SSD Disclosure on April 30, 2025, CVE-2025-4632 began to be exploited in the wild, with reports of it being used to deploy the Mirai botnet. Initial investigations into these attacks mistakenly pointed to CVE-2024-7399, but cybersecurity firm Huntress later clarified the situation.