FKIE_CVE-2025-6704

Vulnerability from fkie_nvd - Published: 2025-07-21 14:15 - Updated: 2025-08-18 20:15
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
An arbitrary file writing vulnerability in the Secure PDF eXchange (SPX) feature of Sophos Firewall versions older than 21.0 MR2 (21.0.2) can lead to pre-auth remote code execution, if a specific configuration of SPX is enabled in combination with the firewall running in High Availability (HA) mode.
References
security-alert@sophos.comhttps://www.sophos.com/en-us/security-advisories/sophos-sa-20250721-sfos-rceVendor Advisory
Impacted products
Vendor Product Version
sophos firewall_firmware *
sophos firewall -
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:sophos:firewall_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "60BD3474-6124-4B78-BE83-103A4D2F97BF",
              "versionEndExcluding": "21.0.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:sophos:firewall:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "2F728103-324C-4F34-9EE6-6E922018A2EB",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An arbitrary file writing vulnerability in the Secure PDF eXchange (SPX) feature of Sophos Firewall versions older than 21.0 MR2 (21.0.2)\u00a0can lead to pre-auth remote code execution, if a specific configuration of SPX is enabled in combination with the firewall running in High Availability (HA) mode."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad de escritura arbitraria de archivos en la funci\u00f3n Secure PDF eXchange (SPX) de las versiones de Sophos Firewall anteriores a 21.0 MR2 (21.0.2) puede provocar la ejecuci\u00f3n remota de c\u00f3digo antes de la autorizaci\u00f3n, si se habilita una configuraci\u00f3n espec\u00edfica de SPX en combinaci\u00f3n con el firewall ejecut\u00e1ndose en modo de alta disponibilidad (HA)."
    }
  ],
  "id": "CVE-2025-6704",
  "lastModified": "2025-08-18T20:15:16.500",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "security-alert@sophos.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-07-21T14:15:30.133",
  "references": [
    {
      "source": "security-alert@sophos.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.sophos.com/en-us/security-advisories/sophos-sa-20250721-sfos-rce"
    }
  ],
  "sourceIdentifier": "security-alert@sophos.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-78"
        }
      ],
      "source": "security-alert@sophos.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.