8.8
CVE-2025-7382
- EPSS 3.8%
- Veröffentlicht 21.07.2025 13:28:38
- Zuletzt bearbeitet 17.11.2025 16:22:35
- Quelle security-alert@sophos.com
- CVE-Watchlists
- Unerledigt
A command injection vulnerability in WebAdmin of Sophos Firewall versions older than 21.0 MR2 (21.0.2) can lead to adjacent attackers achieving pre-auth code execution on High Availability (HA) auxiliary devices, if OTP authentication for the admin user is enabled.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Sophos ≫ Firewall Firmware Version < 21.0.2
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 3.8% | 0.886 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-alert@sophos.com | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
https://www.sophos.com/en-us/security-advisories/sophos-sa-20250721-sfos-rce