CVE-2025-7382 is a high-severity command injection vulnerability affecting the WebAdmin interface of Sophos Firewall versions prior to 21.0 MR2 (21.0.2). This vulnerability specifically impacts the High Availability (HA) auxiliary devices when the admin user has One-Time Password (OTP) authentication enabled. An adjacent attacker—meaning one with network access to the HA auxiliary device but not necessarily authenticated—can exploit this flaw to execute arbitrary code without any authentication or user interaction. The vulnerability arises from improper input validation in the WebAdmin component, allowing command injection that leads to full code execution capabilities. The CVSS v3.1 base score of 8.8 reflects the critical impact on confidentiality, integrity, and availability, combined with the ease of exploitation (low attack complexity, no privileges or user interaction required). Although no known exploits are currently reported in the wild, the potential for pre-auth remote code execution on firewall devices—critical network security infrastructure—makes this a significant threat. The lack of a patch link in the provided data suggests that remediation may be pending or that users must obtain updates directly from Sophos. Given the firewall's role in perimeter defense, exploitation could allow attackers to bypass security controls, intercept or manipulate network traffic, and disrupt network availability.

For European organizations, this vulnerability poses a substantial risk due to the widespread use of Sophos Firewall in enterprise and governmental networks across the region. Successful exploitation could lead to full compromise of firewall devices, resulting in unauthorized access to internal networks, data exfiltration, and potential lateral movement within critical infrastructure. The ability to execute code pre-authentication on HA auxiliary devices is particularly concerning because these devices often serve as failover or load balancing nodes, and their compromise could undermine network resilience and continuity. Sensitive sectors such as finance, healthcare, telecommunications, and government agencies in Europe rely heavily on robust firewall protections; thus, this vulnerability could facilitate espionage, sabotage, or ransomware attacks. Additionally, the requirement for OTP authentication to be enabled on the admin user suggests that even organizations with enhanced security measures are at risk, highlighting the need for urgent patching and mitigation. The absence of known exploits in the wild provides a window for proactive defense, but the high CVSS score indicates that attackers will likely target this vulnerability once exploit code becomes available.

European organizations should immediately verify their Sophos Firewall versions and upgrade to version 21.0 MR2 (21.0.2) or later where this vulnerability is addressed. If immediate patching is not feasible, organizations should restrict network access to the WebAdmin interface and HA auxiliary devices to trusted management networks only, using network segmentation and firewall rules to limit exposure. Disabling OTP authentication temporarily on admin accounts, if feasible, may reduce the attack surface, but this should be balanced against the security benefits of OTP. Monitoring firewall logs for unusual activity and implementing intrusion detection systems to detect command injection attempts can provide early warning. Organizations should also review and harden administrative access policies, including strong password enforcement and multi-factor authentication methods beyond OTP if possible. Regular backups of firewall configurations and system states should be maintained to enable rapid recovery in case of compromise. Finally, organizations should engage with Sophos support channels to obtain official patches and guidance, and stay alert for any emerging exploit reports or indicators of compromise related to this vulnerability.