Cyber Resilience

CVE-2025-6704

CriticalRCE

Published: 21 July 2025

Published
21 July 2025
Modified
18 August 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0158 82.0th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-6704 is a critical-severity OS Command Injection (CWE-78) vulnerability in Sophos Firewall Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

An arbitrary file writing vulnerability affects the Secure PDF eXchange (SPX) feature in Sophos Firewall versions older than 21.0 MR2 (21.0.2). The flaw, tracked as CVE-2025-6704 with a CVSS 3.1 score of 9.8 and mapped to CWE-78, can enable pre-authentication remote code execution when a specific SPX configuration is active alongside High Availability (HA) mode.

An unauthenticated remote attacker can exploit the issue over the network to write arbitrary files on the appliance and subsequently execute code, provided the required SPX and HA conditions are met. No user interaction or credentials are needed for successful exploitation under those constraints.

The vendor advisory at https://www.sophos.com/en-us/security-advisories/sophos-sa-20250721-sfos-rce directs administrators to upgrade affected devices to version 21.0 MR2 or later. The EPSS score remains flat at 0.0158 with no material increase after disclosure.

EU & UK References

Vulnerability details

An arbitrary file writing vulnerability in the Secure PDF eXchange (SPX) feature of Sophos Firewall versions older than 21.0 MR2 (21.0.2) can lead to pre-auth remote code execution, if a specific configuration of SPX is enabled in combination with the…

more

firewall running in High Availability (HA) mode.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Arbitrary file write + OS command injection (CWE-78) in public-facing Sophos Firewall SPX feature directly enables pre-auth RCE (T1190) with Unix shell execution (T1059.004) under HA config.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-7382Same product: Sophos Firewall
CVE-2025-7624Same product: Sophos Firewall
CVE-2024-13974Same product: Sophos Firewall
CVE-2026-42454Shared CWE-78
CVE-2026-34796Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2025-50475Shared CWE-78
CVE-2024-57015Shared CWE-78
CVE-2026-36828Shared CWE-78
CVE-2024-57595Shared CWE-78

Affected Assets

sophos
firewall firmware
≤ 21.0.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the arbitrary file writing vulnerability by identifying, reporting, and correcting flaws through vendor-recommended upgrades to Sophos Firewall v21.0 MR2 or later.

prevent

Prevents exploitation by implementing only essential capabilities and prohibiting or restricting vulnerable features like SPX when combined with HA mode.

detectrespond

Detects vulnerable Sophos Firewall versions via scanning and supports remediation response to address the pre-auth RCE risk.

References