Cybersecurity News

Home News Network Security Firewall Alert Sophos and SonicWall Rush to Fix Critical Security Holes
Network Security

Firewall Alert Sophos and SonicWall Rush to Fix Critical Security Holes

Administrators need to act fast. Sophos and SonicWall are scrambling to patch serious vulnerabilities in their firewall and Secure Mobile Access (SMA) 100 series devices. Hackers could potentially leverage these flaws to remotely execute malicious code, giving them complete control.

91 views
Firewall Alert Sophos and SonicWall Rush to Fix Critical Security Holes

Sophos and SonicWall have just dropped some important alerts. They've identified critical security vulnerabilities in Sophos Firewall and Secure Mobile Access (SMA) 100 Series appliances. These flaws could potentially allow attackers to remotely execute malicious code on your systems. Let's dive into the details.

Sophos Firewall Vulnerabilities: A Closer Look

Sophos is urging users to patch their systems ASAP. Here are the vulnerabilities impacting Sophos Firewall:

  • CVE-2025-6704 (CVSS score: 9.8) - This is a big one! An arbitrary file writing vulnerability in the Secure PDF eXchange (SPX) feature could let attackers run code remotely, *without even needing to authenticate*. This only applies if you're running SPX in a specific configuration *and* your firewall is in High Availability (HA) mode.
  • CVE-2025-7624 (CVSS score: 9.8) - Another critical vulnerability! This SQL injection flaw in the legacy SMTP proxy can also lead to remote code execution. This one's triggered if you're using a quarantining policy for email and upgraded your SFOS from a version older than 21.0 GA.

Sophos estimates that CVE-2025-6704 affects a tiny fraction of devices (around 0.05%), while CVE-2025-7624 could impact up to 0.73% of devices. The good news? Sophos has already addressed these vulnerabilities. They've also patched a high-severity command injection vulnerability in the WebAdmin component (CVE-2025-7382, CVSS score: 8.8). This one could let attackers execute code on HA auxiliary devices *before* authentication, but only if OTP authentication is enabled for the admin user.

But wait, there's more! Sophos also tackled these issues:

  • CVE-2024-13974 (CVSS score: 8.1) - This business logic vulnerability in the Up2Date component could allow attackers to control the firewall's DNS settings, leading to remote code execution.
  • CVE-2024-13973 (CVSS score: 6.8) - A post-authentication SQL injection vulnerability in WebAdmin *could* potentially let administrators run arbitrary code.

Kudos to the U.K. National Cyber Security Centre (NCSC) for discovering and reporting CVE-2024-13974 and CVE-2024-13973! Here's a breakdown of affected versions:

  • CVE-2024-13974 - Affects Sophos Firewall v21.0 GA (21.0.0) and older
  • CVE-2024-13973 - Affects Sophos Firewall v21.0 GA (21.0.0) and older
  • CVE-2025-6704 - Affects Sophos Firewall v21.5 GA (21.5.0) and older
  • CVE-2025-7624 - Affects Sophos Firewall v21.5 GA (21.5.0) and older
  • CVE-2025-7382 - Affects Sophos Firewall v21.5 GA (21.5.0) and older

SonicWall SMA 100 Series Bug: What You Need to Know

Not to be outdone, SonicWall detailed a critical vulnerability in the SMA 100 Series web management interface (CVE-2025-40599, CVSS score: 9.1). If an attacker has administrative privileges, they could exploit this to upload arbitrary files and *potentially* achieve remote code execution.

This flaw impacts SMA 100 Series products (SMA 210, 410, 500v) and has been fixed in version 10.2.2.1-90sv. So, update now!

SonicWall also emphasized that even though this specific vulnerability hasn't been actively exploited, there's still a risk. This comes after a recent report from Google's Threat Intelligence Group (GTIG) revealed that a threat actor called UNC6148 was using fully-patched SMA 100 series devices to deploy a backdoor called OVERSTEP. Spooky!

Protecting Your SonicWall SMA 100 Series Devices: Recommended Steps

Besides patching, SonicWall recommends these steps for SMA 100 Series device users:

  • Disable remote management access on the external-facing interface (X1) to shrink your attack surface.
  • Reset all passwords and reinitialize OTP (One-Time Password) binding for users and administrators.
  • Enforce multi-factor authentication (MFA) for *all* users. Seriously, do it.
  • Enable Web Application Firewall (WAF) on SMA 100.

It's also a good idea to review your appliance logs and connection history for anything suspicious. Look for signs of unauthorized access!

Important for SMA 500v users: You'll need to backup the OVA file, export the configuration, remove the existing virtual machine (and all associated virtual disks and snapshots), reinstall the new OVA from SonicWall using a hypervisor, and *then* restore the configuration. A bit more involved, but necessary!

Tags:
Vulnerability Patch Remote Code Execution (RCE) Network Appliance Security Firewall Security Sophos Firewall SonicWall SMA 100

Related Articles

Apple Fixes Safari Flaw Previously Targeted in Chrome Zero-Day Attacks
Vulnerability

Apple Fixes Safari Flaw Previously Targeted in Chrome Zero-Day Attacks

1 day ago
SonicWall Fixes Critical Flaws in SMA 100 Appliances
Network Security

SonicWall Fixes Critical Flaws in SMA 100 Appliances

May 8
Apple Patches AirPlay Flaws That Could Have Allowed Remote Takeover
Network Security

Apple Patches AirPlay Flaws That Could Have Allowed Remote Takeover

May 5
ASUS AiCloud Routers Vulnerable Update Now
Network Security

ASUS AiCloud Routers Vulnerable Update Now

Apr 19
Back to All News