Primary

Context

Sophos Firewall Secure PDF eXchange Pre-Authentication Remote Code Execution Vulnerability

Vulnerability

Patched

A vulnerability allowing arbitrary file writing in the Secure PDF eXchange (SPX) feature of Sophos Firewall has been identified. This issue affects versions prior to 21.0 MR2 (21.0.2) and can lead to pre-authentication remote code execution. The vulnerability arises when a specific SPX configuration is enabled, combined with the firewall operating in High Availability (HA) mode).

Impact

Exploitation of this vulnerability allows for pre-authentication remote code execution on the affected Sophos Firewall device.

Remediation

Users of Sophos Firewall versions prior to 21.0 MR2 should upgrade to version 21.0 MR2 or a later version. For those on supported versions, hotfixes have been released. Instructions for verifying the hotfix can be found on the Sophos support website.

Added: Jul 21, 2025, 2:24 PM

Updated: Jul 21, 2025, 2:24 PM

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

7.5

exploitability

7.0

remediation

7.7

relevance

0.3

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

7.5

exploitability

7.0

remediation

7.7

relevance

0.3

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Sophos Firewall Secure PDF eXchange Pre-Authentication Remote Code Execution Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Sophos Firewall

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating