CVE-2025-6704

CriticalRCE

Published: 21 July 2025

Published

21 July 2025

Modified

18 August 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0059 69.3th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-6704 is a critical-severity OS Command Injection (CWE-78) vulnerability in Sophos Firewall Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the arbitrary file writing vulnerability by identifying, reporting, and correcting flaws through vendor-recommended upgrades to Sophos Firewall v21.0 MR2 or later.

CM-7 Least Functionality good match

prevent

Prevents exploitation by implementing only essential capabilities and prohibiting or restricting vulnerable features like SPX when combined with HA mode.

RA-5 Vulnerability Monitoring and Scanning partial match

detectrespond

Detects vulnerable Sophos Firewall versions via scanning and supports remediation response to address the pre-auth RCE risk.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Arbitrary file write + OS command injection (CWE-78) in public-facing Sophos Firewall SPX feature directly enables pre-auth RCE (T1190) with Unix shell execution (T1059.004) under HA config.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An arbitrary file writing vulnerability in the Secure PDF eXchange (SPX) feature of Sophos Firewall versions older than 21.0 MR2 (21.0.2) can lead to pre-auth remote code execution, if a specific configuration of SPX is enabled in combination with the…

firewall running in High Availability (HA) mode.

Deeper analysisAI

CVE-2025-6704 is an arbitrary file writing vulnerability in the Secure PDF eXchange (SPX) feature of Sophos Firewall versions older than 21.0 MR2 (v21.0.2). Published on 2025-07-21, it is rated critical with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-78 (OS Command Injection). The flaw enables pre-authentication remote code execution when SPX is specifically configured and enabled alongside the firewall operating in High Availability (HA) mode.

Attackers with network access can exploit this vulnerability without authentication or user interaction. By leveraging the arbitrary file write capability in the SPX feature under the specified HA configuration, they can achieve remote code execution on the affected firewall, potentially leading to full system compromise with high confidentiality, integrity, and availability impacts.

Sophos has issued security advisory sophos-sa-20250721-sfos-rce at https://www.sophos.com/en-us/security-advisories/sophos-sa-20250721-sfos-rce, which provides details on the vulnerability and recommended mitigations, including upgrading to Sophos Firewall v21.0 MR2 (v21.0.2) or later.