An SQL injection vulnerability in the email quarantine release feature of XG Firewall was recently discovered and responsibly disclosed to Sophos by external security researchers. The vulnerability has been fixed. The remediation prevented remote execution of arbitrary code. There was no evidence that the vulnerability was exploited and to our knowledge no customers are impacted.
Sophos would like to thank Jakob Heusinger and Matteo Tomaselli from Code White GmbH for responsibly disclosing this issue to Sophos.
There is no action required for XG Firewall customers with the "Allow automatic installation of hotfixes" feature enabled. Enabled is the default setting.
Sophos XG Firewall v18.0 MR1 and older