CVE-2025-7382 Overview
CVE-2025-7382 is a command injection vulnerability [CWE-78] in the WebAdmin component of Sophos Firewall versions older than 21.0 MR2 (21.0.2). The flaw allows adjacent network attackers to achieve pre-authentication code execution on High Availability (HA) auxiliary devices when one-time password (OTP) authentication for the admin user is enabled. Sophos published the security advisory on July 21, 2025, and the issue is tracked as a high severity vulnerability affecting Sophos Firewall firmware deployments worldwide.
Critical Impact
Adjacent attackers can execute arbitrary commands on HA auxiliary firewall devices without authentication, compromising perimeter security infrastructure.
Affected Products
- Sophos Firewall Firmware versions older than 21.0 MR2 (21.0.2)
- Sophos Firewall hardware appliances running affected firmware
- High Availability (HA) auxiliary devices with OTP authentication enabled for admin user
Discovery Timeline
- 2025-07-21 - Sophos publishes security advisory sophos-sa-20250721-sfos-rce
- 2025-07-21 - CVE-2025-7382 published to NVD
- 2025-11-17 - Last updated in NVD database
Technical Details for CVE-2025-7382
Vulnerability Analysis
The vulnerability resides in the WebAdmin management interface of Sophos Firewall. The component fails to properly neutralize special elements used in operating system commands, mapping to [CWE-78]. Attackers on an adjacent network can inject shell metacharacters into a vulnerable WebAdmin request handler, causing the underlying operating system to execute attacker-supplied commands.
Exploitation does not require prior authentication. The pre-auth condition is reachable on HA auxiliary devices when OTP authentication is configured for the admin user. This configuration introduces a code path on the auxiliary node that processes attacker-controlled input before authentication is enforced.
Successful exploitation grants the attacker code execution in the context of the WebAdmin process. Because Sophos Firewall serves as a perimeter and segmentation device, code execution on the auxiliary HA node can be used to disrupt failover, intercept traffic, or pivot deeper into protected segments.
Root Cause
The root cause is improper input sanitization in a WebAdmin request handler that constructs an OS command using untrusted input. The handler is reachable on HA auxiliary nodes prior to OTP-based admin authentication, which converts the bug into a pre-auth remote code execution issue under the specified HA and OTP configuration.
Attack Vector
The attack vector is Adjacent Network, meaning the attacker must have access to the logically adjacent network segment used by the firewall, such as the HA link or management network. The attacker sends a crafted HTTP(S) request to the WebAdmin interface of an HA auxiliary device. No user interaction is required. No verified proof-of-concept exploit code is publicly available at this time. Refer to the Sophos Security Advisory for vendor technical details.
Detection Methods for CVE-2025-7382
Indicators of Compromise
- Unexpected outbound connections originating from HA auxiliary firewall devices to unknown IP addresses.
- WebAdmin access log entries from the HA heartbeat or management network containing shell metacharacters such as backticks, semicolons, pipes, or $() constructs.
- New or modified processes spawned by the WebAdmin service outside of normal administrative workflows.
- Unexplained HA state transitions, configuration changes, or admin user activity on auxiliary nodes.
Detection Strategies
- Inspect WebAdmin HTTPS request logs for anomalous payloads targeting administrative endpoints, particularly on auxiliary HA devices.
- Correlate firewall management plane authentication events with command execution telemetry to identify pre-auth activity.
- Baseline expected traffic on the HA link and alert on any non-HA-protocol traffic reaching the WebAdmin port.
Monitoring Recommendations
- Forward Sophos Firewall syslog and audit logs to a centralized SIEM for retention and correlation.
- Restrict and monitor access to the WebAdmin interface, allowing only known administrative source addresses.
- Alert on configuration changes, firmware modifications, and new admin sessions on HA auxiliary nodes.
How to Mitigate CVE-2025-7382
Immediate Actions Required
- Upgrade Sophos Firewall to version 21.0 MR2 (21.0.2) or later as supplied by the vendor.
- Restrict WebAdmin and HA link exposure to trusted management networks only.
- Audit HA configuration and verify whether OTP authentication for the admin user is enabled on affected devices.
- Review WebAdmin and HA logs for evidence of exploitation prior to patching.
Patch Information
Sophos has released fixed firmware in version 21.0 MR2 (21.0.2) and later. Administrators should apply the update through the standard Sophos Firewall update mechanism. Customers with automatic hotfix enabled may already have received the fix. See the Sophos Security Advisory for version-specific guidance.
Workarounds
- Place the HA heartbeat and management interfaces on a dedicated, isolated VLAN inaccessible to general user networks.
- Disable WebAdmin reachability on interfaces facing untrusted or adjacent segments where administrative access is not required.
- If immediate patching is not possible, evaluate disabling OTP authentication for the admin user on HA auxiliary devices, recognizing the trade-off in administrative security controls.
# Configuration example: restrict WebAdmin access to a dedicated management subnet
# Apply via Sophos Firewall WebAdmin > Administration > Device Access
# Allowed networks for WebAdmin (HTTPS) service:
# - 10.10.0.0/24 (management LAN)
# Denied: all other zones including LAN, WAN, DMZ, and HA heartbeat
# Verify firmware version after upgrade:
system diagnostics show version
# Expected output: SFOS 21.0.2 MR-2 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
