Sophos threat watch

Security advisories for Sophos Firewall, Intercept X, endpoint, and managed protection products.

Vendor watch hub

What this page covers

The Sophoswatch hub is a vendor-specific view inside ITECS MSP Threat Radar. We pull the latest security advisories, incidents, and known-exploited CVEs directly from the official feeds below, score each one for MSP relevance, and surface what's most likely to need attention this week.

Confirm whether recent Sophos activity overlaps with your environment.
Prioritize advisories by MSP-relevance score, severity, and status.
Turn the signal into an assessment, briefing, or managed-service engagement with ITECS.

At a glance

Tracked

Active

Featured

Unique CVEs

Most recent entry

May 8, 2026, 4:00 AM

Feed refreshes daily · 5:15 a.m. Central

Sources·Sophos Security Advisories RSS and NVD

"Most recent entry" is the newest item the upstream feed has published — not our sync time.

Watch items

Recent Sophos watch items

Showing the 20 most recent items, newest first. Each row links to the official advisory.

20 rows · sorted newest first

Operations view

Advisory: Linux Kernel LPE - Dirty Frag

informational

watchVendor advisory

Severity: InformationalFirst Published: Fri, 08 May 2026 09:00:00 GMTUpdated: Fri, 08 May 2026 00:00:00 GMTPublication ID: sophos-sa-20260508-dirtyfragArticle Version: 1

May 8, 2026, 4:00 AMOfficial source

Advisory: Linux Kernel LPE - Copy Fail (CVE-2026-31431)

informational

watchVendor advisoryCVE-2026-31431

Severity: InformationalCVE: CVE-2026-31431First Published: Fri, 01 May 2026 12:00:00 GMTUpdated: Fri, 01 May 2026 00:00:00 GMTPublication ID: sophos-sa-20260501-copyfailArticle Version: 2

May 1, 2026, 7:00 AMOfficial source

Advisory: AirSnitch Vulnerabilities in Sophos AP6 and APX Series Access Points

medium

watchVendor advisory

Severity: MediumFirst Published: Tue, 21 Apr 2026 12:00:00 GMTUpdated: Tue, 21 Apr 2026 00:00:00 GMTPublication ID: sophos-sa-20260421-airsnitchArticle Version: 1

Apr 21, 2026, 7:00 AMOfficial source

Resolved Authentication Bypass Vulnerability in Sophos AP6 Series Wireless Access Points Firmware (CVE-2025-10159)

critical

activeVendor advisoryCVE-2025-10159

Severity: criticalCVE: CVE-2025-10159First Published: Tue, 09 Sep 2025 14:38:18 GMTUpdated: Tue, 09 Sep 2025 00:00:00 GMTPublication ID: sophos-sa-20250909-ap6Article Version: 1

Sep 9, 2025, 9:38 AMOfficial source

Advisory: Salesloft Drift Security Incident

informational

watchVendor advisory

Severity: InformationalFirst Published: Wed, 03 Sep 2025 22:26:34 GMTUpdated: Wed, 03 Sep 2025 00:00:00 GMTPublication ID: sophos-sa-20250903-salesloft-drift-security-incidentArticle Version: 2

Sep 3, 2025, 5:26 PMOfficial source

Resolved Multiple Vulnerabilities in Sophos Firewall (CVE-2025-6704, CVE-2025-7624, CVE-2025-7382, CVE-2024-13974, CVE-2024-13973)

critical

activeVendor advisoryCVE-2025-6704

Severity: CriticalCVE: CVE-2025-6704, CVE-2025-7624, CVE-2025-7382, CVE-2024-13974, CVE-2024-13973First Published: Mon, 21 Jul 2025 11:00:00 GMTUpdated: Mon, 21 Jul 2025 00:00:00 GMTPublication ID: sophos-sa-20250721-sfos-rceArticle Version: 1

Jul 21, 2025, 6:00 AMOfficial source

Resolved Multiple Vulnerabilities in Sophos Endpoint for Windows (CVE-2024-13972, CVE-2025-7433, CVE-2025-7472)

high

activeVendor advisoryCVE-2024-13972

Severity: HighCVE: CVE-2024-13972, CVE-2025-7433, CVE-2025-7472First Published: Thu, 17 Jul 2025 18:00:00 GMTUpdated: Wed, 06 Aug 2025 00:00:00 GMTPublication ID: sophos-sa-20250717-cix-lpeArticle Version: 3

Jul 17, 2025, 1:00 PMOfficial source

Resolved LPE vulnerability in Taegis Endpoint Agent (Linux) (CVE-2024-13861)

high

activeVendor advisoryCVE-2024-13861

Severity: HighCVE: CVE-2024-13861First Published: Fri, 11 Apr 2025 12:14:37 GMTUpdated: Fri, 11 Apr 2025 00:00:00 GMTPublication ID: sophos-sa-20250411-taegis-agent-lpeArticle Version: 1

Apr 11, 2025, 7:14 AMOfficial source

Advisory: Apache Parquet Vulnerability (CVE-2025-30065)

informational

watchVendor advisoryCVE-2025-30065

Severity: InformationalCVE: CVE-2025-30065First Published: Sun, 06 Apr 2025 05:52:10 GMTUpdated: Fri, 18 Apr 2025 00:00:00 GMTPublication ID: sophos-sa-20250406-apache-parquetArticle Version: 2

Apr 6, 2025, 12:52 AMOfficial source

Advisory: Oracle Cloud Data Breach

informational

watchVendor advisory

Severity: InformationalFirst Published: Sun, 23 Mar 2025 17:32:21 GMTUpdated: Sun, 23 Mar 2025 00:00:00 GMTPublication ID: sophos-sa-20250321-oracle-cloud-data-breachArticle Version: 2

Mar 23, 2025, 12:32 PMOfficial source

Advisory: GitHub Action tj-actions/changed-files Compromise (CVE-2025-30066)

informational

watchVendor advisoryCVE-2025-30066

Severity: InformationalCVE: CVE-2025-30066First Published: Mon, 17 Mar 2025 11:11:08 GMTUpdated: Mon, 17 Mar 2025 00:00:00 GMTPublication ID: sophos-sa-20250317-tj-action-compromiseArticle Version: 1

Mar 17, 2025, 6:11 AMOfficial source

Sophos XG Firewall Buffer Overflow Vulnerability

critical

activeCISA KEVCVE-2020-15069

Sophos XG Firewall contains a buffer overflow vulnerability that allows for remote code execution via the "HTTP/S bookmark" feature.

Feb 5, 2025, 6:00 PMOfficial source

CyberoamOS (CROS) SQL Injection Vulnerability

critical

activeCISA KEVCVE-2020-29574

CyberoamOS (CROS) contains a SQL injection vulnerability in the WebAdmin that allows an unauthenticated attacker to execute arbitrary SQL statements remotely.

Feb 5, 2025, 6:00 PMOfficial source

Resolved Multiple Vulnerabilities in Sophos Firewall (CVE-2024-12727, CVE-2024-12728, CVE-2024-12729)

critical

activeVendor advisoryCVE-2024-12727

Severity: CriticalCVE: CVE-2024-12727, CVE-2024-12728, CVE-2024-12729First Published: Thu, 19 Dec 2024 20:00:00 GMTUpdated: Thu, 19 Dec 2024 00:00:00 GMTPublication ID: sophos-sa-20241219-sfos-rceArticle Version: 1

Dec 19, 2024, 2:00 PMOfficial source

Resolved LPE vulnerability in Sophos Intercept X for Windows (CVE-2024-8885)

high

activeVendor advisoryCVE-2024-8885

Severity: HighCVE: CVE-2024-8885First Published: Wed, 02 Oct 2024 11:00:00 GMTUpdated: Wed, 02 Oct 2024 00:00:00 GMTPublication ID: sophos-sa-20241002-cde-lpeArticle Version: 1

Oct 2, 2024, 6:00 AMOfficial source

Sophos Web Appliance Command Injection Vulnerability

critical

activeCISA KEVCVE-2023-1671

Sophos Web Appliance contains a command injection vulnerability in the warn-proceed handler that allows for remote code execution.

Nov 15, 2023, 6:00 PMOfficial source

Sophos Firewall Code Injection Vulnerability

critical

activeCISA KEVCVE-2022-3236

A code injection vulnerability in the User Portal and Webadmin of Sophos Firewall allows for remote code execution.

Sep 22, 2022, 7:00 PMOfficial source

Sophos Firewall Authentication Bypass Vulnerability

critical

activeCISA KEVCVE-2022-1040

An authentication bypass vulnerability in User Portal and Webadmin of Sophos Firewall allows for remote code execution.

Mar 30, 2022, 7:00 PMOfficial source

Sophos SG UTM Remote Code Execution Vulnerability

critical

activeCISA KEVCVE-2020-25223

A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM.

Mar 24, 2022, 7:00 PMOfficial source

Sophos SFOS SQL Injection Vulnerability

critical

activeCISA KEVCVE-2020-12271

Sophos Firewall operating system (SFOS) firmware contains a SQL injection vulnerability when configured with either the administration (HTTPS) service or the User Portal is exposed on the WAN zone. Successful exploitation may cause remote code execution to exfiltrate usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access (but not external Active Directory or LDAP passwords). Known ransomware use: Known.

Nov 2, 2021, 7:00 PMOfficial source

Alert	Exposure	Status	Published	Source
Advisory: Linux Kernel LPE - Dirty Frag Severity: InformationalFirst Published: Fri, 08 May 2026 09:00:00 GMTUpdated: Fri, 08 May 2026 00:00:00 GMTPublication ID: sophos-sa-20260508-dirtyfragArticle Version: 1	informational Watch	watch	May 8, 2026, 4:00 AM	Vendor advisoryOpen source
Advisory: Linux Kernel LPE - Copy Fail (CVE-2026-31431) Severity: InformationalCVE: CVE-2026-31431First Published: Fri, 01 May 2026 12:00:00 GMTUpdated: Fri, 01 May 2026 00:00:00 GMTPublication ID: sophos-sa-20260501-copyfailArticle Version: 2	informationalCVE-2026-31431 Watch	watch	May 1, 2026, 7:00 AM	Vendor advisoryOpen source
Advisory: AirSnitch Vulnerabilities in Sophos AP6 and APX Series Access Points Severity: MediumFirst Published: Tue, 21 Apr 2026 12:00:00 GMTUpdated: Tue, 21 Apr 2026 00:00:00 GMTPublication ID: sophos-sa-20260421-airsnitchArticle Version: 1	medium Watch	watch	Apr 21, 2026, 7:00 AM	Vendor advisoryOpen source
Resolved Authentication Bypass Vulnerability in Sophos AP6 Series Wireless Access Points Firmware (CVE-2025-10159) Severity: criticalCVE: CVE-2025-10159First Published: Tue, 09 Sep 2025 14:38:18 GMTUpdated: Tue, 09 Sep 2025 00:00:00 GMTPublication ID: sophos-sa-20250909-ap6Article Version: 1	criticalCVE-2025-10159 Elevated	active	Sep 9, 2025, 9:38 AM	Vendor advisoryOpen source
Advisory: Salesloft Drift Security Incident Severity: InformationalFirst Published: Wed, 03 Sep 2025 22:26:34 GMTUpdated: Wed, 03 Sep 2025 00:00:00 GMTPublication ID: sophos-sa-20250903-salesloft-drift-security-incidentArticle Version: 2	informational Watch	watch	Sep 3, 2025, 5:26 PM	Vendor advisoryOpen source
Resolved Multiple Vulnerabilities in Sophos Firewall (CVE-2025-6704, CVE-2025-7624, CVE-2025-7382, CVE-2024-13974, CVE-2024-13973) Severity: CriticalCVE: CVE-2025-6704, CVE-2025-7624, CVE-2025-7382, CVE-2024-13974, CVE-2024-13973First Published: Mon, 21 Jul 2025 11:00:00 GMTUpdated: Mon, 21 Jul 2025 00:00:00 GMTPublication ID: sophos-sa-20250721-sfos-rceArticle Version: 1	criticalCVE-2025-6704 Elevated	active	Jul 21, 2025, 6:00 AM	Vendor advisoryOpen source
Resolved Multiple Vulnerabilities in Sophos Endpoint for Windows (CVE-2024-13972, CVE-2025-7433, CVE-2025-7472) Severity: HighCVE: CVE-2024-13972, CVE-2025-7433, CVE-2025-7472First Published: Thu, 17 Jul 2025 18:00:00 GMTUpdated: Wed, 06 Aug 2025 00:00:00 GMTPublication ID: sophos-sa-20250717-cix-lpeArticle Version: 3	highCVE-2024-13972 Elevated	active	Jul 17, 2025, 1:00 PM	Vendor advisoryOpen source
Resolved LPE vulnerability in Taegis Endpoint Agent (Linux) (CVE-2024-13861) Severity: HighCVE: CVE-2024-13861First Published: Fri, 11 Apr 2025 12:14:37 GMTUpdated: Fri, 11 Apr 2025 00:00:00 GMTPublication ID: sophos-sa-20250411-taegis-agent-lpeArticle Version: 1	highCVE-2024-13861 Elevated	active	Apr 11, 2025, 7:14 AM	Vendor advisoryOpen source
Advisory: Apache Parquet Vulnerability (CVE-2025-30065) Severity: InformationalCVE: CVE-2025-30065First Published: Sun, 06 Apr 2025 05:52:10 GMTUpdated: Fri, 18 Apr 2025 00:00:00 GMTPublication ID: sophos-sa-20250406-apache-parquetArticle Version: 2	informationalCVE-2025-30065 Watch	watch	Apr 6, 2025, 12:52 AM	Vendor advisoryOpen source
Advisory: Oracle Cloud Data Breach Severity: InformationalFirst Published: Sun, 23 Mar 2025 17:32:21 GMTUpdated: Sun, 23 Mar 2025 00:00:00 GMTPublication ID: sophos-sa-20250321-oracle-cloud-data-breachArticle Version: 2	informational Watch	watch	Mar 23, 2025, 12:32 PM	Vendor advisoryOpen source
Advisory: GitHub Action tj-actions/changed-files Compromise (CVE-2025-30066) Severity: InformationalCVE: CVE-2025-30066First Published: Mon, 17 Mar 2025 11:11:08 GMTUpdated: Mon, 17 Mar 2025 00:00:00 GMTPublication ID: sophos-sa-20250317-tj-action-compromiseArticle Version: 1	informationalCVE-2025-30066 Elevated	watch	Mar 17, 2025, 6:11 AM	Vendor advisoryOpen source
Sophos XG Firewall Buffer Overflow Vulnerability Sophos XG Firewall contains a buffer overflow vulnerability that allows for remote code execution via the "HTTP/S bookmark" feature. XG Firewall	criticalCVE-2020-15069 Critical	active	Feb 5, 2025, 6:00 PM	CISA KEVOpen source
CyberoamOS (CROS) SQL Injection Vulnerability CyberoamOS (CROS) contains a SQL injection vulnerability in the WebAdmin that allows an unauthenticated attacker to execute arbitrary SQL statements remotely. CyberoamOS	criticalCVE-2020-29574 Critical	active	Feb 5, 2025, 6:00 PM	CISA KEVOpen source
Resolved Multiple Vulnerabilities in Sophos Firewall (CVE-2024-12727, CVE-2024-12728, CVE-2024-12729) Severity: CriticalCVE: CVE-2024-12727, CVE-2024-12728, CVE-2024-12729First Published: Thu, 19 Dec 2024 20:00:00 GMTUpdated: Thu, 19 Dec 2024 00:00:00 GMTPublication ID: sophos-sa-20241219-sfos-rceArticle Version: 1	criticalCVE-2024-12727 Elevated	active	Dec 19, 2024, 2:00 PM	Vendor advisoryOpen source
Resolved LPE vulnerability in Sophos Intercept X for Windows (CVE-2024-8885) Severity: HighCVE: CVE-2024-8885First Published: Wed, 02 Oct 2024 11:00:00 GMTUpdated: Wed, 02 Oct 2024 00:00:00 GMTPublication ID: sophos-sa-20241002-cde-lpeArticle Version: 1	highCVE-2024-8885 Elevated	active	Oct 2, 2024, 6:00 AM	Vendor advisoryOpen source
Sophos Web Appliance Command Injection Vulnerability Sophos Web Appliance contains a command injection vulnerability in the warn-proceed handler that allows for remote code execution. Web Appliance	criticalCVE-2023-1671 Critical	active	Nov 15, 2023, 6:00 PM	CISA KEVOpen source
Sophos Firewall Code Injection Vulnerability A code injection vulnerability in the User Portal and Webadmin of Sophos Firewall allows for remote code execution. Firewall	criticalCVE-2022-3236 Critical	active	Sep 22, 2022, 7:00 PM	CISA KEVOpen source
Sophos Firewall Authentication Bypass Vulnerability An authentication bypass vulnerability in User Portal and Webadmin of Sophos Firewall allows for remote code execution. Firewall	criticalCVE-2022-1040 Critical	active	Mar 30, 2022, 7:00 PM	CISA KEVOpen source
Sophos SG UTM Remote Code Execution Vulnerability A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM. SG UTM	criticalCVE-2020-25223 Critical	active	Mar 24, 2022, 7:00 PM	CISA KEVOpen source
Sophos SFOS SQL Injection Vulnerability Sophos Firewall operating system (SFOS) firmware contains a SQL injection vulnerability when configured with either the administration (HTTPS) service or the User Portal is exposed on the WAN zone. Successful exploitation may cause remote code execution to exfiltrate usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access (but not external Active Directory or LDAP passwords). Known ransomware use: Known. SFOS	criticalCVE-2020-12271 Critical	active	Nov 2, 2021, 7:00 PM	CISA KEVOpen source

Related vendors

Other security vendors in the radar

Cisco Fortinet Palo Alto Networks Okta Ivanti OpenSSL Citrix SonicWall

ITECS response pathways

Turn the Sophos watch feed into an action plan

These pathways connect the vendor watch feed into service-owner resources that already carry commercial authority.

Endpoint detection & response

Use the endpoint detection & response pathway when this vendor alert needs an ITECS-managed response plan.

Cybersecurity services

Connect the vendor watch page to broader managed detection, response, and governance planning.

Cybersecurity assessment

Translate current watch items into a faster risk snapshot and prioritized remediation plan.

Threat Radar hub

Return to the hub for cross-vendor prioritization, live filtering, and broader MSP threat context.

Vendor watch FAQ

Common questions

What is the Sophos threat watch page?

It is the Sophos-specific view inside ITECS Threat Radar, built to track recent advisories, incidents, and watch items that may affect Dallas-area business operations.

How should teams use the Sophos watch page?

Use it to confirm whether current Sophos issues overlap with your environment, prioritize remediation, and decide whether you need an assessment, managed security follow-through, or vendor-specific hardening work.

Can ITECS help respond to Sophos security issues?

Yes. ITECS can help map Sophos advisories against your systems, validate affected services, prioritize remediation, and connect the issue to broader managed cybersecurity or managed IT workflows.

Back to Threat Radar hub Endpoint detection & response