{"id":59674,"date":"2025-07-27T05:28:53","date_gmt":"2025-07-27T05:28:53","guid":{"rendered":""},"modified":"2025-09-04T21:09:06","modified_gmt":"2025-09-05T03:09:06","slug":"cve-2025-7382-pre-auth-code-execution-vulnerability-in-sophos-firewall-webadmin","status":"publish","type":"post","link":"https:\/\/www.ameeba.com\/blog\/cve-2025-7382-pre-auth-code-execution-vulnerability-in-sophos-firewall-webadmin\/","title":{"rendered":"<strong>CVE-2025-7382: Pre-Auth Code Execution Vulnerability in Sophos Firewall WebAdmin<\/strong>"},"content":{"rendered":"<p><strong>Overview<\/strong><\/p>\n<p>The CVE-2025-7382 is a high-risk vulnerability that affects the WebAdmin interface of Sophos Firewall versions older than 21.0 MR2 (21.0.2). This command injection vulnerability poses a serious threat to organizations as it allows adjacent attackers to execute arbitrary code on High Availability (HA) auxiliary devices without needing to authenticate first, provided OTP authentication for the admin user is enabled. As such, it&#8217;s crucial for network administrators and cybersecurity professionals to understand the implications of this <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-7837-critical-vulnerability-in-totolink-t6-potentially-leading-to-system-compromise\/\"  data-wpil-monitor-id=\"71144\">vulnerability and how to mitigate its potential<\/a> impact.<\/p>\n<p><strong>Vulnerability Summary<\/strong><\/p>\n<p>CVE ID: CVE-2025-7382<br \/>\nSeverity: High (8.8)<br \/>\nAttack Vector: Network<br \/>\nPrivileges Required: None<br \/>\nUser Interaction: None<br \/>\nImpact: <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-43933-high-risk-vulnerability-leading-to-potential-system-compromise-via-password-reset-feature\/\"  data-wpil-monitor-id=\"71145\">Potential system compromise<\/a> or data leakage<\/p>\n<p><strong>Affected Products<\/strong><\/p><div id=\"ameeb-252122052\" class=\"ameeb-content-2 ameeb-entity-placement\"><div style=\"border-left: 4px solid #555; padding-left: 20px; margin: 48px 0; font-family: Roboto, sans-serif; color: #ffffff; line-height: 1.6; max-width: 700px;\">\r\n  <h2 style=\"margin-top: 0; font-size: 20px; font-weight: 600; display: flex; align-items: center;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"display: inline-flex; align-items: center; margin-right: 8px;\">\r\n      <img decoding=\"async\" src=\"https:\/\/www.ameeba.com\/blog\/wp-content\/uploads\/2025\/10\/Best-App-icon-Ameeba.png\" alt=\"Ameeba Chat Icon\" style=\"width: 40px; height: 40px;\" \/>\r\n    <\/a>\r\n    A new way to communicate\r\n  <\/h2>\r\n\r\n  <p style=\"margin-bottom: 12px;\">\r\n    Ameeba Chat is built on encrypted identity, not personal profiles.\r\n  <\/p>\r\n\r\n  <p style=\"margin-bottom: 16px;\">\r\n    Message, call, share files, and coordinate with identities kept separate.\r\n  <\/p>\r\n\r\n  <ul style=\"list-style: none; padding-left: 0; margin-bottom: 20px;\">\r\n    <li>\u2022 Encrypted identity<\/li>\r\n    <li>\u2022 Ameeba Chat authenticates access<\/li>\r\n    <li>\u2022 Aliases and categories<\/li>\r\n    <li>\u2022 End-to-end encrypted chat, calls, and files<\/li>\r\n    <li>\u2022 Secure notes for sensitive information<\/li>\r\n  <\/ul>\r\n\r\n  <p style=\"font-style: italic; font-weight: 600; margin-bottom: 24px;\">\r\n    Private communication, rethought.\r\n  <\/p>\r\n\r\n  <div style=\"display: flex; flex-wrap: wrap; gap: 12px;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\/download\" style=\"background-color: #ffffff; color: #000000; padding: 10px 20px; text-decoration: none; border-radius: 6px; font-weight: 500;\">Download Ameeba Chat<\/a>\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"border: 1px solid #ffffff; color: #ffffff; padding: 10px 20px; text-decoration: none; border-radius: 6px; font-weight: 500;\">Learn More<\/a>\r\n  <\/div>\r\n<\/div>\r\n<\/div>\n<p>Product | Affected Versions<\/p>\n<p>Sophos Firewall | Older than 21.0 MR2 (21.0.2)<\/p>\n<p><strong>How the Exploit Works<\/strong><\/p>\n<p>The exploit takes advantage of a <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-7097-critical-command-injection-vulnerability-in-comodo-internet-security-premium\/\"  data-wpil-monitor-id=\"69582\">command injection<\/a> weakness in the WebAdmin interface of older Sophos Firewall versions. Attackers can craft malicious inputs that are interpreted as part of the <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-54416-arbitrary-command-execution-vulnerability-in-tj-actions-branch-names-github-action\/\"  data-wpil-monitor-id=\"69580\">command to be executed<\/a> by the system. When these inputs are processed, the system <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-26074-remote-code-execution-vulnerability-in-orkes-conductor-v3-21-11\/\"  data-wpil-monitor-id=\"65991\">executes the attacker&#8217;s code<\/a>, hence achieving pre-auth code execution on HA auxiliary devices.<\/p>\n<p><strong>Conceptual Example Code<\/strong><\/p><div id=\"ameeb-3952832238\" class=\"ameeb-content ameeb-entity-placement\"><div class=\"poptin-embedded\" data-id=\"f6b387694f681\"><\/div>\r\n\r\n\r\n\r\n\r\n\r\n<\/div>\n<p>A conceptual example of exploiting this <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-52362-critical-server-side-request-forgery-vulnerability-in-phproxy\/\"  data-wpil-monitor-id=\"71143\">vulnerability could involve sending a malicious HTTP POST request<\/a> to a vulnerable endpoint, as illustrated below:<\/p>\n<pre><code class=\"\" data-line=\"\">POST \/WebAdmin\/endpoint HTTP\/1.1\nHost: target.example.com\nContent-Type: application\/json\n{ &quot;malicious_command&quot;: &quot;rm -rf \/*&quot; }<\/code><\/pre>\n<p>In this example, if the malicious_command payload is processed by the system, it could potentially delete all files, <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-7793-critical-vulnerability-in-tenda-fh451-leading-to-system-compromise\/\"  data-wpil-monitor-id=\"69581\">leading to a system<\/a> compromise.<\/p>\n<p><strong>Mitigation<\/strong><\/p>\n<p>The most effective way to mitigate the impact of CVE-2025-7382 is to apply the vendor-provided patch, which upgrades the Sophos Firewall to a <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-46198-cross-site-scripting-vulnerability-in-grav-versions-1-7-46-to-1-7-48\/\"  data-wpil-monitor-id=\"69872\">version where this vulnerability<\/a> is fixed (21.0 MR2 or later). In case applying the patch is not immediately feasible, using a Web Application Firewall (WAF) or an Intrusion Detection System (IDS) can serve as temporary mitigation measures, preventing the <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-46122-arbitrary-command-execution-vulnerability-in-commscope-ruckus-unleashed\/\"  data-wpil-monitor-id=\"78906\">execution of malicious commands<\/a>. Regular monitoring and updating of system components and applications is a best practice that can help prevent future vulnerabilities.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Overview The CVE-2025-7382 is a high-risk vulnerability that affects the WebAdmin interface of Sophos Firewall versions older than 21.0 MR2 (21.0.2). This command injection vulnerability poses a serious threat to organizations as it allows adjacent attackers to execute arbitrary code on High Availability (HA) auxiliary devices without needing to authenticate first, provided OTP authentication for [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"footnotes":""},"categories":[1],"tags":[],"vendor":[],"product":[],"attack_vector":[78],"asset_type":[],"severity":[],"exploit_status":[],"class_list":["post-59674","post","type-post","status-publish","format-standard","hentry","category-uncategorized","attack_vector-injection"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/59674","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/comments?post=59674"}],"version-history":[{"count":5,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/59674\/revisions"}],"predecessor-version":[{"id":71306,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/59674\/revisions\/71306"}],"wp:attachment":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/media?parent=59674"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/categories?post=59674"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/tags?post=59674"},{"taxonomy":"vendor","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/vendor?post=59674"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/product?post=59674"},{"taxonomy":"attack_vector","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/attack_vector?post=59674"},{"taxonomy":"asset_type","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/asset_type?post=59674"},{"taxonomy":"severity","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/severity?post=59674"},{"taxonomy":"exploit_status","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/exploit_status?post=59674"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}