Skip to main content
CVE Vulnerability Database

CVE-2025-7382: Sophos Firewall Firmware RCE Vulnerability

CVE-2025-7382 is a command injection RCE flaw in Sophos Firewall Firmware that enables adjacent attackers to execute code on HA auxiliary devices. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-7382 Overview

CVE-2025-7382 is a command injection vulnerability [CWE-78] in the WebAdmin component of Sophos Firewall versions older than 21.0 MR2 (21.0.2). The flaw allows adjacent network attackers to achieve pre-authentication code execution on High Availability (HA) auxiliary devices when one-time password (OTP) authentication for the admin user is enabled. Sophos published the security advisory on July 21, 2025, and the issue is tracked as a high severity vulnerability affecting Sophos Firewall firmware deployments worldwide.

Critical Impact

Adjacent attackers can execute arbitrary commands on HA auxiliary firewall devices without authentication, compromising perimeter security infrastructure.

Affected Products

  • Sophos Firewall Firmware versions older than 21.0 MR2 (21.0.2)
  • Sophos Firewall hardware appliances running affected firmware
  • High Availability (HA) auxiliary devices with OTP authentication enabled for admin user

Discovery Timeline

  • 2025-07-21 - Sophos publishes security advisory sophos-sa-20250721-sfos-rce
  • 2025-07-21 - CVE-2025-7382 published to NVD
  • 2025-11-17 - Last updated in NVD database

Technical Details for CVE-2025-7382

Vulnerability Analysis

The vulnerability resides in the WebAdmin management interface of Sophos Firewall. The component fails to properly neutralize special elements used in operating system commands, mapping to [CWE-78]. Attackers on an adjacent network can inject shell metacharacters into a vulnerable WebAdmin request handler, causing the underlying operating system to execute attacker-supplied commands.

Exploitation does not require prior authentication. The pre-auth condition is reachable on HA auxiliary devices when OTP authentication is configured for the admin user. This configuration introduces a code path on the auxiliary node that processes attacker-controlled input before authentication is enforced.

Successful exploitation grants the attacker code execution in the context of the WebAdmin process. Because Sophos Firewall serves as a perimeter and segmentation device, code execution on the auxiliary HA node can be used to disrupt failover, intercept traffic, or pivot deeper into protected segments.

Root Cause

The root cause is improper input sanitization in a WebAdmin request handler that constructs an OS command using untrusted input. The handler is reachable on HA auxiliary nodes prior to OTP-based admin authentication, which converts the bug into a pre-auth remote code execution issue under the specified HA and OTP configuration.

Attack Vector

The attack vector is Adjacent Network, meaning the attacker must have access to the logically adjacent network segment used by the firewall, such as the HA link or management network. The attacker sends a crafted HTTP(S) request to the WebAdmin interface of an HA auxiliary device. No user interaction is required. No verified proof-of-concept exploit code is publicly available at this time. Refer to the Sophos Security Advisory for vendor technical details.

Detection Methods for CVE-2025-7382

Indicators of Compromise

  • Unexpected outbound connections originating from HA auxiliary firewall devices to unknown IP addresses.
  • WebAdmin access log entries from the HA heartbeat or management network containing shell metacharacters such as backticks, semicolons, pipes, or $() constructs.
  • New or modified processes spawned by the WebAdmin service outside of normal administrative workflows.
  • Unexplained HA state transitions, configuration changes, or admin user activity on auxiliary nodes.

Detection Strategies

  • Inspect WebAdmin HTTPS request logs for anomalous payloads targeting administrative endpoints, particularly on auxiliary HA devices.
  • Correlate firewall management plane authentication events with command execution telemetry to identify pre-auth activity.
  • Baseline expected traffic on the HA link and alert on any non-HA-protocol traffic reaching the WebAdmin port.

Monitoring Recommendations

  • Forward Sophos Firewall syslog and audit logs to a centralized SIEM for retention and correlation.
  • Restrict and monitor access to the WebAdmin interface, allowing only known administrative source addresses.
  • Alert on configuration changes, firmware modifications, and new admin sessions on HA auxiliary nodes.

How to Mitigate CVE-2025-7382

Immediate Actions Required

  • Upgrade Sophos Firewall to version 21.0 MR2 (21.0.2) or later as supplied by the vendor.
  • Restrict WebAdmin and HA link exposure to trusted management networks only.
  • Audit HA configuration and verify whether OTP authentication for the admin user is enabled on affected devices.
  • Review WebAdmin and HA logs for evidence of exploitation prior to patching.

Patch Information

Sophos has released fixed firmware in version 21.0 MR2 (21.0.2) and later. Administrators should apply the update through the standard Sophos Firewall update mechanism. Customers with automatic hotfix enabled may already have received the fix. See the Sophos Security Advisory for version-specific guidance.

Workarounds

  • Place the HA heartbeat and management interfaces on a dedicated, isolated VLAN inaccessible to general user networks.
  • Disable WebAdmin reachability on interfaces facing untrusted or adjacent segments where administrative access is not required.
  • If immediate patching is not possible, evaluate disabling OTP authentication for the admin user on HA auxiliary devices, recognizing the trade-off in administrative security controls.
bash
# Configuration example: restrict WebAdmin access to a dedicated management subnet
# Apply via Sophos Firewall WebAdmin > Administration > Device Access
# Allowed networks for WebAdmin (HTTPS) service:
#   - 10.10.0.0/24   (management LAN)
# Denied: all other zones including LAN, WAN, DMZ, and HA heartbeat
# Verify firmware version after upgrade:
system diagnostics show version
# Expected output: SFOS 21.0.2 MR-2 or later

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.