A critical vulnerability, identified as CVE-2025-6704, has been discovered in Sophos Firewall. This flaw allows an unauthenticated remote attacker to write arbitrary files to the device, which can be leveraged to execute code and gain full control of the firewall. Successful exploitation could lead to a complete compromise of the network perimeter, enabling data theft, network disruption, and further intrusions into the internal network.

The vulnerability is an arbitrary file write flaw within the Secure PDF eXchange (SPX) feature of the Sophos Firewall. An unauthenticated attacker can send a specially crafted request to the firewall's user portal or webadmin interface to exploit this flaw. By manipulating the SPX functionality, the attacker can write a file with arbitrary content to any location on the firewall's filesystem, leading to pre-authentication remote code execution (RCE).

This vulnerability is rated as critical severity with a CVSS score of 9.8. A successful exploit would grant an attacker complete administrative control over the affected firewall. The business impact is severe, as a compromised perimeter firewall can lead to unauthorized access to the entire internal network, theft of sensitive data, deployment of ransomware, significant business downtime, and severe reputational damage. Because the vulnerability is exploitable without authentication, any vulnerable device exposed to the internet is at immediate and high risk of compromise.

Immediate Action: Immediately update all vulnerable Sophos Firewall instances to the patched version 21.0 MR2 (21.0.2) or a later release. After patching, it is crucial to monitor for any signs of post-exploitation activity and review historical access logs for potential indicators of compromise.

Proactive Monitoring: Security teams should monitor for unusual or anomalous requests targeting the firewall's SPX service. Specifically, look for unexpected file creation or modification in critical system directories (e.g., /etc, /tmp, web server root directories). Monitor for unexpected outbound network connections originating from the firewall itself, which could indicate a successful compromise.

Compensating Controls: If patching cannot be performed immediately, restrict access to the Sophos Firewall's User Portal and Webadmin interfaces to a limited set of trusted IP addresses. If the Secure PDF eXchange (SPX) feature is not in use, consider disabling it entirely as a temporary mitigating control until the patch can be applied.

Public Exploit Available: false

Given the critical severity of this pre-authentication RCE vulnerability, we strongly recommend that organizations treat this as an emergency. The risk of a full network compromise is extremely high for any unpatched, internet-facing Sophos Firewall. Organizations must prioritize the immediate application of the vendor-supplied patch (version 21.0.2 or newer) to all affected devices to prevent exploitation.