CVE-2025-6704
📋 TL;DR
This vulnerability allows unauthenticated attackers to write arbitrary files to Sophos Firewall systems, potentially leading to remote code execution. It affects Sophos Firewall versions older than 21.0.2 when Secure PDF eXchange (SPX) is enabled and the firewall is configured in High Availability (HA) mode. Organizations using vulnerable configurations are at risk of complete system compromise.
💻 Affected Systems
- Sophos Firewall
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with pre-authentication remote code execution, allowing attackers to install malware, exfiltrate data, pivot to internal networks, and disrupt firewall operations.
Likely Case
Remote code execution leading to firewall compromise, network traffic interception, credential theft, and lateral movement within the network.
If Mitigated
Limited impact if SPX is disabled or HA mode is not configured, though the vulnerability still exists in the codebase.
🎯 Exploit Status
Pre-authentication exploitation makes this particularly dangerous. The specific SPX configuration requirement may limit widespread exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 21.0 MR2 (21.0.2) or later
Vendor Advisory: https://www.sophos.com/en-us/security-advisories/sophos-sa-20250721-sfos-rce
Restart Required: Yes
Instructions:
1. Log into Sophos Firewall admin interface. 2. Navigate to Backup & Firmware > Firmware. 3. Upload and install firmware version 21.0.2 or later. 4. Reboot the firewall after installation completes.
🔧 Temporary Workarounds
Disable SPX Feature
allTemporarily disable the Secure PDF eXchange feature until patching can be completed.
Remove HA Configuration
allIf HA mode is not required, temporarily disable High Availability configuration.
🧯 If You Can't Patch
- Disable SPX feature immediately if not required for business operations
- Implement strict network segmentation to isolate vulnerable firewalls from critical assets
🔍 How to Verify
Check if Vulnerable:
Check firewall version via admin interface: System > Status > Product Information. If version is below 21.0.2 AND SPX is enabled AND HA mode is configured, the system is vulnerable.Check Version:
ssh admin@firewall_ip 'show version' or check via web admin interfaceVerify Fix Applied:
After patching, verify version is 21.0.2 or higher in System > Status > Product Information.📡 Detection & Monitoring
Log Indicators:
- Unusual file write operations in SPX logs
- Unauthenticated access attempts to SPX endpoints
- Unexpected process execution from SPX directories
Network Indicators:
- Unusual traffic to SPX service ports
- Anomalous outbound connections from firewall
SIEM Query:
source="sophos_firewall" AND (event_type="file_write" OR process="spx") AND user="unauthenticated"