Security advisories for Sophos Firewall, Intercept X, endpoint, and managed protection products.
Vendor watch hub
The Sophoswatch hub is a vendor-specific view inside ITECS MSP Threat Radar. We pull the latest security advisories, incidents, and known-exploited CVEs directly from the official feeds below, score each one for MSP relevance, and surface what's most likely to need attention this week.
At a glance
Tracked
Active
Featured
Unique CVEs
Most recent entry
Sep 9, 2025, 9:38 AM
Feed refreshes daily · 05:15 UTC
Sources·Sophos Security Advisories RSS and NVD
"Most recent entry" is the newest item the upstream feed has published — not our sync time.
Watch items
Showing the 17 most recent items, newest first. Each row links to the official advisory.
17 rows · sorted newest first
Operations viewSeverity: criticalCVE: CVE-2025-10159First Published: Tue, 09 Sep 2025 14:38:18 GMTUpdated: Tue, 09 Sep 2025 00:00:00 GMTPublication ID: sophos-sa-20250909-ap6Article Version: 1
Severity: InformationalFirst Published: Wed, 03 Sep 2025 22:26:34 GMTUpdated: Wed, 03 Sep 2025 00:00:00 GMTPublication ID: sophos-sa-20250903-salesloft-drift-security-incidentArticle Version: 2
Severity: CriticalCVE: CVE-2025-6704, CVE-2025-7624, CVE-2025-7382, CVE-2024-13974, CVE-2024-13973First Published: Mon, 21 Jul 2025 11:00:00 GMTUpdated: Mon, 21 Jul 2025 00:00:00 GMTPublication ID: sophos-sa-20250721-sfos-rceArticle Version: 1
Severity: HighCVE: CVE-2024-13972, CVE-2025-7433, CVE-2025-7472First Published: Thu, 17 Jul 2025 18:00:00 GMTUpdated: Wed, 06 Aug 2025 00:00:00 GMTPublication ID: sophos-sa-20250717-cix-lpeArticle Version: 3
Severity: HighCVE: CVE-2024-13861First Published: Fri, 11 Apr 2025 12:14:37 GMTUpdated: Fri, 11 Apr 2025 00:00:00 GMTPublication ID: sophos-sa-20250411-taegis-agent-lpeArticle Version: 1
Severity: InformationalCVE: CVE-2025-30065First Published: Sun, 06 Apr 2025 05:52:10 GMTUpdated: Fri, 18 Apr 2025 00:00:00 GMTPublication ID: sophos-sa-20250406-apache-parquetArticle Version: 2
Severity: InformationalFirst Published: Sun, 23 Mar 2025 17:32:21 GMTUpdated: Sun, 23 Mar 2025 00:00:00 GMTPublication ID: sophos-sa-20250321-oracle-cloud-data-breachArticle Version: 2
Severity: InformationalCVE: CVE-2025-30066First Published: Mon, 17 Mar 2025 11:11:08 GMTUpdated: Mon, 17 Mar 2025 00:00:00 GMTPublication ID: sophos-sa-20250317-tj-action-compromiseArticle Version: 1
Sophos XG Firewall contains a buffer overflow vulnerability that allows for remote code execution via the "HTTP/S bookmark" feature.
CyberoamOS (CROS) contains a SQL injection vulnerability in the WebAdmin that allows an unauthenticated attacker to execute arbitrary SQL statements remotely.
Severity: CriticalCVE: CVE-2024-12727, CVE-2024-12728, CVE-2024-12729First Published: Thu, 19 Dec 2024 20:00:00 GMTUpdated: Thu, 19 Dec 2024 00:00:00 GMTPublication ID: sophos-sa-20241219-sfos-rceArticle Version: 1
Severity: HighCVE: CVE-2024-8885First Published: Wed, 02 Oct 2024 11:00:00 GMTUpdated: Wed, 02 Oct 2024 00:00:00 GMTPublication ID: sophos-sa-20241002-cde-lpeArticle Version: 1
Sophos Web Appliance contains a command injection vulnerability in the warn-proceed handler that allows for remote code execution.
A code injection vulnerability in the User Portal and Webadmin of Sophos Firewall allows for remote code execution.
An authentication bypass vulnerability in User Portal and Webadmin of Sophos Firewall allows for remote code execution.
A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM.
Sophos Firewall operating system (SFOS) firmware contains a SQL injection vulnerability when configured with either the administration (HTTPS) service or the User Portal is exposed on the WAN zone. Successful exploitation may cause remote code execution to exfiltrate usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access (but not external Active Directory or LDAP passwords). Known ransomware use: Known.
| Alert | Exposure | Status | Published | Source |
|---|---|---|---|---|
Resolved Authentication Bypass Vulnerability in Sophos AP6 Series Wireless Access Points Firmware (CVE-2025-10159)Severity: criticalCVE: CVE-2025-10159First Published: Tue, 09 Sep 2025 14:38:18 GMTUpdated: Tue, 09 Sep 2025 00:00:00 GMTPublication ID: sophos-sa-20250909-ap6Article Version: 1 | criticalCVE-2025-10159 Score 68 | active | Sep 9, 2025, 9:38 AM | Vendor advisoryOpen source |
Advisory: Salesloft Drift Security IncidentSeverity: InformationalFirst Published: Wed, 03 Sep 2025 22:26:34 GMTUpdated: Wed, 03 Sep 2025 00:00:00 GMTPublication ID: sophos-sa-20250903-salesloft-drift-security-incidentArticle Version: 2 | informational Score 23 | watch | Sep 3, 2025, 5:26 PM | Vendor advisoryOpen source |
Resolved Multiple Vulnerabilities in Sophos Firewall (CVE-2025-6704, CVE-2025-7624, CVE-2025-7382, CVE-2024-13974, CVE-2024-13973)Severity: CriticalCVE: CVE-2025-6704, CVE-2025-7624, CVE-2025-7382, CVE-2024-13974, CVE-2024-13973First Published: Mon, 21 Jul 2025 11:00:00 GMTUpdated: Mon, 21 Jul 2025 00:00:00 GMTPublication ID: sophos-sa-20250721-sfos-rceArticle Version: 1 | criticalCVE-2025-6704 Score 68 | active | Jul 21, 2025, 6:00 AM | Vendor advisoryOpen source |
Resolved Multiple Vulnerabilities in Sophos Endpoint for Windows (CVE-2024-13972, CVE-2025-7433, CVE-2025-7472)Severity: HighCVE: CVE-2024-13972, CVE-2025-7433, CVE-2025-7472First Published: Thu, 17 Jul 2025 18:00:00 GMTUpdated: Wed, 06 Aug 2025 00:00:00 GMTPublication ID: sophos-sa-20250717-cix-lpeArticle Version: 3 | highCVE-2024-13972 Score 68 | active | Jul 17, 2025, 1:00 PM | Vendor advisoryOpen source |
Resolved LPE vulnerability in Taegis Endpoint Agent (Linux) (CVE-2024-13861)Severity: HighCVE: CVE-2024-13861First Published: Fri, 11 Apr 2025 12:14:37 GMTUpdated: Fri, 11 Apr 2025 00:00:00 GMTPublication ID: sophos-sa-20250411-taegis-agent-lpeArticle Version: 1 | highCVE-2024-13861 Score 68 | active | Apr 11, 2025, 7:14 AM | Vendor advisoryOpen source |
Advisory: Apache Parquet Vulnerability (CVE-2025-30065)Severity: InformationalCVE: CVE-2025-30065First Published: Sun, 06 Apr 2025 05:52:10 GMTUpdated: Fri, 18 Apr 2025 00:00:00 GMTPublication ID: sophos-sa-20250406-apache-parquetArticle Version: 2 | informationalCVE-2025-30065 Score 23 | watch | Apr 6, 2025, 12:52 AM | Vendor advisoryOpen source |
Advisory: Oracle Cloud Data BreachSeverity: InformationalFirst Published: Sun, 23 Mar 2025 17:32:21 GMTUpdated: Sun, 23 Mar 2025 00:00:00 GMTPublication ID: sophos-sa-20250321-oracle-cloud-data-breachArticle Version: 2 | informational Score 23 | watch | Mar 23, 2025, 12:32 PM | Vendor advisoryOpen source |
Advisory: GitHub Action tj-actions/changed-files Compromise (CVE-2025-30066)Severity: InformationalCVE: CVE-2025-30066First Published: Mon, 17 Mar 2025 11:11:08 GMTUpdated: Mon, 17 Mar 2025 00:00:00 GMTPublication ID: sophos-sa-20250317-tj-action-compromiseArticle Version: 1 | informationalCVE-2025-30066 Score 23 | watch | Mar 17, 2025, 6:11 AM | Vendor advisoryOpen source |
Sophos XG Firewall Buffer Overflow VulnerabilitySophos XG Firewall contains a buffer overflow vulnerability that allows for remote code execution via the "HTTP/S bookmark" feature. XG Firewall | criticalCVE-2020-15069 Score 110 | active | Feb 5, 2025, 6:00 PM | CISA KEVOpen source |
CyberoamOS (CROS) SQL Injection VulnerabilityCyberoamOS (CROS) contains a SQL injection vulnerability in the WebAdmin that allows an unauthenticated attacker to execute arbitrary SQL statements remotely. CyberoamOS | criticalCVE-2020-29574 Score 110 | active | Feb 5, 2025, 6:00 PM | CISA KEVOpen source |
Resolved Multiple Vulnerabilities in Sophos Firewall (CVE-2024-12727, CVE-2024-12728, CVE-2024-12729)Severity: CriticalCVE: CVE-2024-12727, CVE-2024-12728, CVE-2024-12729First Published: Thu, 19 Dec 2024 20:00:00 GMTUpdated: Thu, 19 Dec 2024 00:00:00 GMTPublication ID: sophos-sa-20241219-sfos-rceArticle Version: 1 | criticalCVE-2024-12727 Score 68 | active | Dec 19, 2024, 2:00 PM | Vendor advisoryOpen source |
Resolved LPE vulnerability in Sophos Intercept X for Windows (CVE-2024-8885)Severity: HighCVE: CVE-2024-8885First Published: Wed, 02 Oct 2024 11:00:00 GMTUpdated: Wed, 02 Oct 2024 00:00:00 GMTPublication ID: sophos-sa-20241002-cde-lpeArticle Version: 1 | highCVE-2024-8885 Score 68 | active | Oct 2, 2024, 6:00 AM | Vendor advisoryOpen source |
Sophos Web Appliance Command Injection VulnerabilitySophos Web Appliance contains a command injection vulnerability in the warn-proceed handler that allows for remote code execution. Web Appliance | criticalCVE-2023-1671 Score 110 | active | Nov 15, 2023, 6:00 PM | CISA KEVOpen source |
Sophos Firewall Code Injection VulnerabilityA code injection vulnerability in the User Portal and Webadmin of Sophos Firewall allows for remote code execution. Firewall | criticalCVE-2022-3236 Score 110 | active | Sep 22, 2022, 7:00 PM | CISA KEVOpen source |
Sophos Firewall Authentication Bypass VulnerabilityAn authentication bypass vulnerability in User Portal and Webadmin of Sophos Firewall allows for remote code execution. Firewall | criticalCVE-2022-1040 Score 110 | active | Mar 30, 2022, 7:00 PM | CISA KEVOpen source |
Sophos SG UTM Remote Code Execution VulnerabilityA remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM. SG UTM | criticalCVE-2020-25223 Score 110 | active | Mar 24, 2022, 7:00 PM | CISA KEVOpen source |
Sophos SFOS SQL Injection VulnerabilitySophos Firewall operating system (SFOS) firmware contains a SQL injection vulnerability when configured with either the administration (HTTPS) service or the User Portal is exposed on the WAN zone. Successful exploitation may cause remote code execution to exfiltrate usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access (but not external Active Directory or LDAP passwords). Known ransomware use: Known. SFOS | criticalCVE-2020-12271 Score 110 | active | Nov 2, 2021, 7:00 PM | CISA KEVOpen source |
Related vendors
ITECS response pathways
These pathways connect the vendor watch feed into service-owner resources that already carry commercial authority.
Use the endpoint detection & response pathway when this vendor alert needs an ITECS-managed response plan.
Connect the vendor watch page to broader managed detection, response, and governance planning.
Translate current watch items into a faster risk snapshot and prioritized remediation plan.
Return to the hub for cross-vendor prioritization, live filtering, and broader MSP threat context.
Vendor watch FAQ
It is the Sophos-specific view inside ITECS Threat Radar, built to track recent advisories, incidents, and watch items that may affect Dallas-area business operations.
Use it to confirm whether current Sophos issues overlap with your environment, prioritize remediation, and decide whether you need an assessment, managed security follow-through, or vendor-specific hardening work.
Yes. ITECS can help map Sophos advisories against your systems, validate affected services, prioritize remediation, and connect the issue to broader managed cybersecurity or managed IT workflows.