Sophos and SonicWall Patch Critical Remote Code Execution Flaws in Firewall and SMA Devices
Security Advisory 20.08.25
Overview
Sophos and SonicWall have issued urgent security updates to address multiple critical vulnerabilities affecting their firewall and Secure Mobile Access (SMA) 100 Series devices. These flaws, if exploited, could allow attackers to execute remote code and compromise network infrastructure.
Technical Details
Sophos Firewall Vulnerabilities:
- CVE-2025-6704 (CVSS 9.8): Arbitrary file write in SPX feature enabling pre-auth RCE when combined with High Availability (HA) mode.
- CVE-2025-7624 (CVSS 9.8): SQL injection in legacy SMTP proxy allowing RCE if email quarantining is active and upgraded from pre-21.0 GA.
- CVE-2025-7382 (CVSS 8.8): Command injection in WebAdmin enabling pre-auth RCE on HA auxiliary devices with OTP enabled.
- CVE-2024-13974 (CVSS 8.1): Business logic flaw in Up2Date component allowing DNS manipulation and RCE.
- CVE-2024-13973 (CVSS 6.8): Post-auth SQL injection in WebAdmin enabling arbitrary code execution.
SonicWall SMA 100 Series Vulnerability:
- CVE-2025-40599 (CVSS 9.1): Web management interface flaw allowing file uploads and potential RCE by authenticated attackers.
Affected Devices
Sophos Firewall:
- CVE-2025-6704, CVE-2025-7624, CVE-2025-7382: Affects v21.5 GA (21.5.0) and older.
- CVE-2024-13974, CVE-2024-13973: Affects v21.0 GA (21.0.0) and older.
SonicWall SMA 100 Series:
- SMA 210, 410, 500v — affected by CVE-2025-40599. Patched in version 10.2.2.1-90sv.
Recommended Remediations
ctrl:cyber suggests the security teams to act swiftly to mitigate risks and follow the below recommendations.
For Sophos Users:
- Apply the latest firmware updates immediately.
- Review SPX and SMTP proxy configurations, especially in HA setups.
- Disable OTP for admin users if not essential, or ensure secure configuration.
For SonicWall Users:
- Update to firmware version 10.2.2.1-90sv.
- Disable remote management on external-facing interface (X1).
- Reset all passwords and reinitialize OTP bindings.
- Enforce multi-factor authentication (MFA).
- Enable Web Application Firewall (WAF).
- For SMA 500v users: Backup OVA, export config, remove VM and disks, reinstall new OVA, and restore configuration.
Sources: The Hacker News, SonicWall, Sophos.
