Cyber Posture

CVE-2025-7382

High

Published: 21 July 2025

Published
21 July 2025
Modified
17 November 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0014 34.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-7382 is a high-severity OS Command Injection (CWE-78) vulnerability in Sophos Firewall Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the command injection vulnerability by requiring timely flaw remediation through vendor patches like upgrading to Sophos Firewall v21.0 MR2.

SI-10 Information Input Validation good match
prevent

Prevents command injection exploitation in WebAdmin by enforcing validation of untrusted inputs to reject malicious commands.

SC-7 Boundary Protection partial match
prevent

Mitigates adjacent network (AV:A) access to vulnerable HA auxiliary devices by enforcing boundary protections like network segmentation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Command injection in WebAdmin enables pre-auth RCE on network device (T1190) via Unix shell commands (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A command injection vulnerability in WebAdmin of Sophos Firewall versions older than 21.0 MR2 (21.0.2) can lead to adjacent attackers achieving pre-auth code execution on High Availability (HA) auxiliary devices, if OTP authentication for the admin user is enabled.

Deeper analysisAI

CVE-2025-7382 is a command injection vulnerability (CWE-78) in the WebAdmin component of Sophos Firewall versions older than 21.0 MR2 (v21.0.2). Published on 2025-07-21, it affects High Availability (HA) auxiliary devices when OTP authentication is enabled for the admin user. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

Adjacent attackers on the same network segment can exploit the vulnerability with low complexity and no prior privileges or user interaction required. Successful exploitation enables pre-authentication code execution on HA auxiliary devices, granting attackers high-level confidentiality, integrity, and availability compromises.

The Sophos security advisory (https://www.sophos.com/en-us/security-advisories/sophos-sa-20250721-sfos-rce) addresses mitigation by recommending an upgrade to Sophos Firewall v21.0 MR2 (v21.0.2) or later, where the vulnerability has been remediated.

Details

CWE(s)
CWE-78

Affected Products

sophos
firewall firmware
≤ 21.0.2

CVEs Like This One

CVE-2025-6704Same product: Sophos Firewall
CVE-2025-7624Same product: Sophos Firewall
CVE-2024-13974Same product: Sophos Firewall
CVE-2026-25070Shared CWE-78
CVE-2026-34796Shared CWE-78
CVE-2025-27392Shared CWE-78
CVE-2025-64127Shared CWE-78
CVE-2026-3037Shared CWE-78
CVE-2025-56114Shared CWE-78
CVE-2026-41113Shared CWE-78

References