Cybersecurity firms Sophos and SonicWall have issued urgent alerts regarding critical vulnerabilities in widely used network security products. The flaws, found in Sophos Firewall and SonicWall’s Secure Mobile Access (SMA) 100 Series, could grant attackers the ability to achieve remote code execution (RCE), posing a significant threat to organizational security. Both companies have released patches and are urging customers to apply them immediately to mitigate the risks.
Sophos detailed five vulnerabilities affecting its firewall, two of which are rated critical with a CVSS score of 9.8. The first, CVE-2025-6704, is an arbitrary file writing flaw in the Secure PDF eXchange (SPX) feature that can lead to pre-authentication RCE if the firewall is also running in High Availability (HA) mode. The second critical flaw, CVE-2025-7624, is an SQL injection vulnerability in the legacy SMTP proxy that enables RCE if specific email quarantining policies are active. Sophos noted that these critical flaws affect a small percentage of devices, 0.05% and 0.73% respectively.
Alongside the critical bugs, Sophos patched three other vulnerabilities. CVE-2025-7382 (CVSS 8.8) is a pre-auth command injection vulnerability affecting auxiliary HA devices. The UK’s National Cyber Security Centre (NCSC) was credited with discovering two other issues affecting older firewall versions: CVE-2024-13974 (CVSS 8.1), a business logic flaw in the Up2Date component, and CVE-2024-13973 (CVSS 6.8), a post-auth SQL injection bug. The vulnerabilities impact various versions of Sophos Firewall up to and including v21.5 GA (21.5.0), and fixes have been released.
Separately, SonicWall disclosed CVE-2025-40599, a critical vulnerability (CVSS 9.1) in the web management interface of its SMA 100 Series appliances (SMA 210, 410, and 500v).
The flaw could allow a remote attacker with admin privileges to upload arbitrary files and achieve RCE. Although there is no evidence of active exploitation, SonicWall highlighted the potential risk by referencing a recent Google report about a threat actor, UNC6148, deploying backdoors on fully-patched SMA 100 devices. A patch has been issued in version 10.2.2.1-90sv.
Both companies stress the importance of applying the security updates promptly. SonicWall provided additional recommendations for SMA 100 Series customers to enhance security. These steps include disabling remote management access on external interfaces, resetting all user and admin passwords, enforcing multi-factor authentication (MFA), and enabling the Web Application Firewall (WAF). Furthermore, users are advised to review appliance logs for any anomalies and, for virtual appliances, to perform a full reinstallation using the new patched version.
Reference:
