CVE-2025-6704 Overview
CVE-2025-6704 is an arbitrary file write vulnerability in the Secure PDF eXchange (SPX) feature of Sophos Firewall. The flaw affects firmware versions older than 21.0 MR2 (21.0.2) and can be exploited without authentication. Successful exploitation leads to pre-authentication remote code execution on the firewall appliance. The vulnerability is only exploitable when a specific SPX configuration is enabled and the firewall operates in High Availability (HA) mode. The issue is tracked under [CWE-78] (OS Command Injection) and is documented in the Sophos Security Advisory.
Critical Impact
Unauthenticated attackers can write arbitrary files and execute commands as a privileged user on the firewall, compromising the network perimeter device.
Affected Products
- Sophos Firewall Firmware versions prior to 21.0 MR2 (21.0.2)
- Sophos Firewall appliances with Secure PDF eXchange (SPX) enabled
- Sophos Firewall deployments configured in High Availability (HA) mode
Discovery Timeline
- 2025-07-21 - Sophos publishes security advisory sophos-sa-20250721-sfos-rce
- 2025-07-21 - CVE-2025-6704 published to NVD
- 2025-08-18 - Last updated in NVD database
Technical Details for CVE-2025-6704
Vulnerability Analysis
The vulnerability resides in the Secure PDF eXchange (SPX) component of Sophos Firewall Operating System (SFOS). SPX encrypts outbound email attachments into password-protected PDF files. The flaw allows an unauthenticated remote attacker to write attacker-controlled content to arbitrary locations on the appliance file system. When chained with the High Availability synchronization process, the attacker-controlled file write becomes a vehicle for code execution. The underlying weakness maps to [CWE-78], indicating improper neutralization of special elements used in an OS command.
Exploitation does not require credentials, user interaction, or local access. The attack surface is exposed over the network through SPX-related processing paths reachable on the firewall management or service interfaces.
Root Cause
The root cause is insufficient validation of input handled by the SPX feature. Untrusted data flows into a code path that determines file write destinations and content without enforcing safe path constraints or command argument boundaries. In HA mode, the firewall replicates configuration and runtime data between cluster nodes, broadening the impact of any locally written attacker-controlled file. The combination of unauthenticated reachability and trusted HA processing converts an arbitrary write into reliable remote code execution.
Attack Vector
An unauthenticated attacker sends a crafted network request that triggers the SPX processing logic. The crafted payload causes the firewall to write attacker-supplied data to a file location used by privileged processes. Subsequent execution of that content under the firewall's service context yields remote code execution. The attack requires the target to have both SPX enabled with the vulnerable configuration and HA mode active. No prior foothold on the device is required.
No public proof-of-concept exploit code is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2025-6704
Indicators of Compromise
- Unexpected files appearing in SPX working directories or configuration paths on the firewall file system
- Anomalous outbound connections originating from the Sophos Firewall management plane
- Unscheduled HA synchronization events or configuration diffs between cluster peers
- New administrative sessions, accounts, or scheduled tasks created without an approved change record
Detection Strategies
- Inspect Sophos Firewall audit logs for SPX-related processing errors or malformed request entries preceding privilege-sensitive operations
- Correlate firewall management interface access logs with subsequent process execution and outbound network activity
- Monitor HA sync traffic for unexpected payload sizes or out-of-band file transfers between peers
- Compare firmware version inventory against the fixed release 21.0 MR2 (21.0.2) to identify exposed appliances
Monitoring Recommendations
- Forward SFOS syslog and audit data to a centralized SIEM or data lake for retention and correlation
- Alert on any administrative configuration change to SPX or HA settings outside of change windows
- Baseline normal HA peer communication patterns and alert on deviations in volume or destination
- Track external connection attempts to firewall management services from non-approved source ranges
How to Mitigate CVE-2025-6704
Immediate Actions Required
- Upgrade Sophos Firewall to version 21.0 MR2 (21.0.2) or later as published in the Sophos Security Advisory
- Audit firewall configuration to determine whether SPX is enabled and whether the appliance is in HA mode
- Restrict management and service interface exposure to trusted administrative networks only
- Review recent firewall logs and HA sync activity for indicators of prior exploitation attempts
Patch Information
Sophos addressed CVE-2025-6704 in Sophos Firewall firmware version 21.0 MR2 (21.0.2). Customers running supported versions with automatic hotfix delivery enabled receive the fix through the standard hotfix mechanism. Verify the installed firmware build and hotfix status from the WebAdmin console under the firmware management section. Full remediation details and download links are available in the Sophos Security Advisory.
Workarounds
- Disable the Secure PDF eXchange (SPX) feature if it is not required for business operations
- Disable High Availability mode where operationally feasible until the patch is applied, accepting the loss of failover
- Limit network reachability of the firewall management and service interfaces using upstream access control lists
- Enforce strict change control on SPX and HA configuration settings to prevent re-enablement on unpatched devices
# Configuration example
# Verify Sophos Firewall firmware version from the CLI
system diagnostic show version
# Confirm hotfix auto-installation is enabled
system hotfix show
# Disable SPX as a temporary workaround (perform via WebAdmin):
# Email > Policies > SPX Encryption > Disable applicable policies
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
