CVE-2025-6704
Published: 21 July 2025
Summary
CVE-2025-6704 is a critical-severity OS Command Injection (CWE-78) vulnerability in Sophos Firewall Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Deeper analysis
An arbitrary file writing vulnerability affects the Secure PDF eXchange (SPX) feature in Sophos Firewall versions older than 21.0 MR2 (21.0.2). The flaw, tracked as CVE-2025-6704 with a CVSS 3.1 score of 9.8 and mapped to CWE-78, can enable pre-authentication remote code execution when a specific SPX configuration is active alongside High Availability (HA) mode.
An unauthenticated remote attacker can exploit the issue over the network to write arbitrary files on the appliance and subsequently execute code, provided the required SPX and HA conditions are met. No user interaction or credentials are needed for successful exploitation under those constraints.
The vendor advisory at https://www.sophos.com/en-us/security-advisories/sophos-sa-20250721-sfos-rce directs administrators to upgrade affected devices to version 21.0 MR2 or later. The EPSS score remains flat at 0.0158 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-22086
Vulnerability details
An arbitrary file writing vulnerability in the Secure PDF eXchange (SPX) feature of Sophos Firewall versions older than 21.0 MR2 (21.0.2) can lead to pre-auth remote code execution, if a specific configuration of SPX is enabled in combination with the…
more
firewall running in High Availability (HA) mode.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file write + OS command injection (CWE-78) in public-facing Sophos Firewall SPX feature directly enables pre-auth RCE (T1190) with Unix shell execution (T1059.004) under HA config.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the arbitrary file writing vulnerability by identifying, reporting, and correcting flaws through vendor-recommended upgrades to Sophos Firewall v21.0 MR2 or later.
Prevents exploitation by implementing only essential capabilities and prohibiting or restricting vulnerable features like SPX when combined with HA mode.
Detects vulnerable Sophos Firewall versions via scanning and supports remediation response to address the pre-auth RCE risk.