Sophos AP6 Series CVE-2025-10159: Brief Summary of a Critical Authentication Bypass Vulnerability

This post provides a brief summary of CVE-2025-10159, a critical authentication bypass vulnerability in Sophos AP6 Series Wireless Access Points prior to firmware version 1.7.2563. The flaw allows remote attackers to gain administrative privileges without credentials. Details include affected versions, technical root cause, and vendor history.
CVE Analysis

7 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-09-09

Sophos AP6 Series CVE-2025-10159: Brief Summary of a Critical Authentication Bypass Vulnerability
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Remote attackers can gain full administrative control over enterprise Wi-Fi infrastructure when authentication controls fail. CVE-2025-10159 demonstrates this risk in Sophos AP6 Series Wireless Access Points, where a critical flaw allows bypassing authentication entirely on devices running outdated firmware. This vulnerability has a CVSS score of 9.8 and impacts a widely deployed family of Wi-Fi 6 and Wi-Fi 6E access points used in business environments.

About Sophos and the AP6 Series: Sophos is a global cybersecurity vendor with a broad product portfolio including endpoint, firewall, and wireless security. The AP6 Series is their flagship line of enterprise Wi-Fi 6 and Wi-Fi 6E access points, managed via Sophos Central or local interfaces, and deployed in organizations seeking unified security management for wireless networks.

Technical Information

CVE-2025-10159 is an authentication bypass vulnerability classified under CWE-620 (Unverified Password Change). The flaw is present in the management interface of Sophos AP6 Series Wireless Access Points running firmware versions older than 1.7.2563 (MR-7).

The vulnerability allows remote attackers to send crafted requests to the access point's web management interface or associated API endpoints. Due to insufficient verification of password change or authentication operations, attackers can bypass credential checks and set a new administrative password or otherwise gain administrative access. This does not require physical access or prior authentication.

Once administrative access is obtained, attackers can:

  • Change wireless network configurations
  • Intercept or redirect wireless traffic
  • Deploy rogue SSIDs or backdoors
  • Disable security features or monitoring

The root cause is a failure to properly validate the identity of users performing sensitive operations in the management interface, specifically related to password changes (CWE-620). No code snippets or further exploit details are publicly available at this time.

Affected Systems and Versions

  • Sophos AP6 Series Wireless Access Points
    • All models, including AP6 420, AP6 420E, AP6 420X, AP6 840, AP6 840E
    • Firmware versions older than 1.7.2563 (MR-7) are vulnerable
    • Devices managed via Sophos Central or local web interface are affected

Vendor Security History

Sophos has previously addressed critical vulnerabilities in their network products. Notably, CVE-2022-1040 affected Sophos Firewall with a similar authentication bypass flaw. The vendor typically issues patches and advisories quickly, but recurring issues with authentication bypass highlight ongoing challenges in secure development for their network infrastructure products.

References

Detect & fix
what others miss