Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-13974

CVE-2024-13974: Sophos Firewall Firmware RCE Vulnerability

CVE-2024-13974 is a business logic RCE flaw in Sophos Firewall Firmware that allows attackers to control DNS environments and execute code. This article covers technical details, affected versions, and mitigation steps.

Published:

CVE-2024-13974 Overview

CVE-2024-13974 is a business logic vulnerability [CWE-807] in the Up2Date component of Sophos Firewall versions older than 21.0 MR1 (20.0.1). The flaw allows attackers who control the firewall's Domain Name System (DNS) environment to achieve remote code execution on the device. The Up2Date component handles update retrieval and validation, and improper reliance on attacker-influenceable inputs lets an adversary redirect or manipulate update traffic. Successful exploitation grants code execution on the firewall, a network perimeter device with broad visibility and trust.

Critical Impact

Attackers controlling the firewall's DNS environment can execute arbitrary code on Sophos Firewall, compromising the security perimeter and gaining a foothold on a privileged network device.

Affected Products

  • Sophos Firewall Firmware versions prior to 21.0 MR1 (20.0.1)
  • Sophos Firewall hardware appliances running affected firmware
  • Sophos Firewall virtual and software deployments running affected firmware

Discovery Timeline

  • 2025-07-21 - CVE-2024-13974 published to the National Vulnerability Database (NVD)
  • 2025-07-21 - Sophos publishes security advisory sophos-sa-20250721-sfos-rce
  • 2025-11-17 - Last updated in NVD database

Technical Details for CVE-2024-13974

Vulnerability Analysis

The vulnerability resides in the Up2Date component, which manages firmware and signature updates for Sophos Firewall. The component relies on inputs that an attacker positioned to manipulate DNS resolution can influence. Classified as CWE-807 (Reliance on Untrusted Inputs in a Security Decision), the flaw lets adversaries subvert the update logic to deliver attacker-controlled content that the firewall processes with elevated trust. The outcome is remote code execution on a perimeter security device that brokers traffic for the entire protected network.

The attack is network-based and requires no authentication or user interaction. Attack complexity is high because the adversary must already control the firewall's DNS resolution path, for example through upstream DNS poisoning, on-path interception, or compromise of a resolver the device trusts.

Root Cause

The root cause is a business logic flaw in how the Up2Date component validates and trusts data tied to DNS-resolved endpoints. The component makes security-relevant decisions based on inputs the attacker can influence once DNS is under their control. The vendor remediated the logic in firmware version 21.0 MR1 (20.0.1).

Attack Vector

Exploitation requires the attacker to control the DNS environment used by the firewall. Once this prerequisite is met, the adversary manipulates update-related traffic flowing through the Up2Date component so that the firewall accepts attacker-controlled content. The firewall then executes code in the context of the update subsystem, yielding remote code execution on the appliance. No verified public proof-of-concept code is available, and the issue is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.

No verified exploit code is publicly available for CVE-2024-13974.
Refer to the Sophos security advisory for technical details:
https://www.sophos.com/en-us/security-advisories/sophos-sa-20250721-sfos-rce

Detection Methods for CVE-2024-13974

Indicators of Compromise

  • Unexpected outbound DNS queries from the firewall management plane to non-Sophos resolvers or unusual destinations.
  • Update transactions from the Up2Date component completing against unknown or non-standard endpoints.
  • New or unexpected processes, binaries, or persistence artifacts on the firewall following an update cycle.
  • Configuration drift, anomalous administrative sessions, or unexplained outbound connections originating from the firewall after exposure to untrusted DNS.

Detection Strategies

  • Monitor firewall update logs for failed signature checks, unexpected update sources, or repeated update attempts at unusual times.
  • Compare DNS responses for Sophos update domains observed at the firewall against authoritative answers from a trusted resolver.
  • Inspect network telemetry for Sophos Firewall devices resolving update hostnames through resolvers other than the configured trusted DNS servers.

Monitoring Recommendations

  • Centralize firewall syslog and update component events for correlation and long-term retention.
  • Alert on changes to the firewall's DNS configuration, resolver list, or routing policy affecting management traffic.
  • Baseline normal Up2Date behavior, including update cadence and destination endpoints, and alert on deviations.

How to Mitigate CVE-2024-13974

Immediate Actions Required

  • Upgrade Sophos Firewall to version 21.0 MR1 (20.0.1) or later, which contains the vendor fix for CVE-2024-13974.
  • Restrict the firewall management plane to authoritative, trusted DNS resolvers under your administrative control.
  • Audit firewall configuration and recent update activity for signs of tampering before and after patching.

Patch Information

Sophos addressed the issue in Sophos Firewall version 21.0 MR1 (20.0.1). Apply the firmware update through the standard Sophos update process or download the package from the Sophos support portal. Full remediation details are in the Sophos Security Advisory sophos-sa-20250721-sfos-rce.

Workarounds

  • Configure the firewall to use only trusted, hardened DNS resolvers and block egress to untrusted DNS endpoints from the management interface.
  • Segment and protect upstream DNS infrastructure to prevent poisoning and on-path interception of update-related queries.
  • Where feasible, isolate the firewall management plane on a dedicated network with strict egress controls until patching is complete.
bash
# Example: verify and update Sophos Firewall firmware via CLI menu
# 1. Log in to the Sophos Firewall console (advanced shell / device console)
# 2. Check current firmware version
system diagnostic show version

# 3. Apply the latest available firmware (must be 21.0 MR1 / 20.0.1 or later)
system firmware-upgrade list
system firmware-upgrade apply <firmware-image-id>

# 4. Restrict DNS to trusted resolvers (replace with your trusted IPs)
system dns add ipv4-server 10.0.0.53
system dns add ipv4-server 10.0.0.54

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne