CVE-2025-6704 is a critical vulnerability identified in Sophos Firewall products prior to version 21.0 MR2 (21.0.2). The flaw exists in the Secure PDF eXchange (SPX) feature, which, when configured in a specific manner and combined with the firewall operating in High Availability (HA) mode, allows an unauthenticated remote attacker to perform arbitrary file writes. This vulnerability stems from improper neutralization of special elements in OS commands (CWE-78), commonly known as OS Command Injection. Exploiting this vulnerability enables an attacker to execute arbitrary code on the affected firewall device without requiring any authentication or user interaction. The CVSS v3.1 base score of 9.8 reflects the critical nature of this issue, indicating high impact on confidentiality, integrity, and availability, with low attack complexity and no privileges or user interaction required. The vulnerability could allow attackers to compromise the firewall, potentially gaining control over network traffic filtering and monitoring, leading to severe consequences such as data exfiltration, network disruption, or lateral movement within the protected network. Although no known exploits are currently reported in the wild, the severity and ease of exploitation make it a significant threat that demands immediate attention from organizations using affected Sophos Firewall versions. The lack of available patches at the time of reporting further increases the urgency for mitigation through configuration changes or temporary workarounds until an official fix is released.

For European organizations, the impact of CVE-2025-6704 is substantial due to the critical role Sophos Firewall devices play in network security infrastructure. Successful exploitation could lead to full compromise of the firewall, undermining perimeter defenses and exposing sensitive data, including personal data protected under GDPR. This could result in regulatory penalties, reputational damage, and operational disruptions. Organizations relying on HA configurations for redundancy and high availability are particularly at risk, as the vulnerability specifically requires HA mode to be enabled alongside the SPX feature. Given the widespread use of Sophos Firewall in various sectors such as finance, healthcare, government, and critical infrastructure across Europe, the potential for large-scale impact is significant. Attackers could leverage this vulnerability to bypass security controls, intercept or manipulate traffic, and establish persistent footholds within corporate networks. The criticality of the vulnerability also raises concerns about targeted attacks by advanced threat actors aiming to disrupt European organizations or steal sensitive information.

Immediate mitigation steps include disabling the Secure PDF eXchange (SPX) feature if it is not essential, especially in environments where High Availability mode is enabled. Organizations should review their firewall configurations to identify if the vulnerable SPX configuration is active and consider temporarily disabling HA mode if feasible until a patch is available. Network segmentation and strict access controls should be enforced to limit exposure of management interfaces to untrusted networks. Monitoring firewall logs for unusual activity related to SPX or HA operations can help detect attempted exploitation. Additionally, organizations should subscribe to Sophos security advisories to promptly apply patches once released. Employing intrusion detection/prevention systems (IDS/IPS) to detect anomalous command injection patterns targeting the firewall can provide an additional layer of defense. Finally, conducting internal audits and penetration tests focusing on firewall configurations can help identify and remediate potential weaknesses proactively.