Primary

Context

Sophos Firewall Command Injection Vulnerability in WebAdmin Allowing Pre-Authentication Code Execution on HA Auxiliary Devices

Vulnerability

Patched

A command injection vulnerability has been identified in the WebAdmin interface of Sophos Firewall. This vulnerability affects versions prior to 21.0 MR2 (21.0.2) and allows adjacent attackers to execute code on High Availability (HA) auxiliary devices without authentication, provided that One-Time Password (OTP) authentication is enabled for the admin user.

Impact

Exploitation of this vulnerability could lead to unauthorized pre-authentication code execution on High Availability auxiliary devices.

Remediation

Users should upgrade to Sophos Firewall version 21.0 MR2 or later. Hotfixes for this vulnerability have been released for several supported versions. Instructions for verifying the hotfix can be found in the Sophos Knowledge Base.

Added: Jul 21, 2025, 2:22 PM

Updated: Jul 21, 2025, 2:22 PM

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

7.5

exploitability

4.9

remediation

7.7

relevance

0.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

7.5

exploitability

4.9

remediation

7.7

relevance

0.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Sophos Firewall Command Injection Vulnerability in WebAdmin Allowing Pre-Authentication Code Execution on HA Auxiliary Devices

Vulnerability

Impact

Remediation

Affected Products

Sophos Firewall

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating