RichBaldry

We've just released UTM version 9.7 MR22 (9.722). As this is a regular maintenance update it will be released in three phases:

Details of this release, along with previous releases, can be found on our official release notes page.

Once again, the main purpose of this release is to update a number of third-party components that have had disclosed vulnerabilities. We have also fixed a couple of customer-reported issues.

Whenever a vulnerability is reported in a component used in Sophos UTM, we review the reports fully to determine the risk level to our customers. For vulnerabilities where there is a risk to our customers, we aim to include the vulnerability CVE details in these release notes. But in many cases, the reported vulnerabilities are not relevant due to the limited way a component is used in UTM - these updates are generally treated less urgently.

IMPORTANT UPDATE (2 September 2025)

During the staged release of version 9.7 MR22 (9.722) we discovered an issue caused by the fix for Apache vulnerability CVE-2025-23048. The issue only occurs when Sophos UTM is deployed as a WAF behind another reverse proxy (e.g a load balancer), and that proxy is not configured to include the correct web server name in the Client Hello SNI during the TLS handshake.

The Apache vulnerability addressed by this change can only be exploited when Apache is using TLS 1.3 and client certificate authentication, neither of which features are supported on Sophos UTM.  Since Sophos UTM is not vulnerable to this issue we will roll back this specific change while keeping the other Apache vulnerability fixes.

We are putting the further release of 9.7 MR22 on hold and will release a fixed update as 9.7 MR23 as soon as possible. If you have not yet updated, we recommend you wait until this new update is available. If you are already running 9.7 MR22 without issues, no action is required at this time.

Reminder - UTM end-of-life on 30 June 2026

There is now less than a year until the end-of-life of Sophos UTM. We will continue to provide updates to urgent issues until then, but we advise you to plan migration away from Sophos UTM in plenty of time.

See this article for more information.

We have published a tool that can help migration to Sophos Firewall by exporting some of the key parts of your UTM configuration for import into a new Sophos Firewall system. You can download the latest version of this tool at https://github.com/sophos/Sophos-Migration-Utility-CLI

We have also just announced a free three-month license overlap when you migrate from SG UTM to a Sophos Firewall, to allow time to run the systems in parallel while you make the transition.

Other news

  • Maintenance Release
  • Security Release

Remarks

  • System will be rebooted
  • Configuration will be upgraded

Issues resolved

  • NUTM-15157 [Basesystem] Improved performance data and statistics collection for "get-support-data
  • NUTM-14369 [Basesystem] Addressed the Gawk vulnerability CVE-2023-4156
  • NUTM-13824 [Basesystem] Addressed the LibYAML vulnerability CVE-2013-6393
  • NUTM-13740 [Basesystem] Addressed the Gzip/xz vulnerability CVE-2022-1271
  • NUTM-13687 [Basesystem] Addressed the Gnutls vulnerabilities CVE-2017-7869 and CVE-2017-5335
  • NUTM-12719 [Basesystem] Addressed the Ruby vulnerabilities CVE-2020-10663 and CVE-2021-28965
  • NUTM-15066 [Email] Upgraded Exim to 4.98.2+ to address vulnerability CVE-2025-30232
  • NUTM-14957 [Email] Improved the processing of emails stuck in the SMTP spool with the error message "Invalid request"
  • NUTM-15174 [WAF] Upgraded Apache to 2.4.64+ to address vulnerabilities CVE-2024-42516, CVE-2024-47252, and CVE-2025-53020
  • 0 comments
  • 0 members are here