A cross-site scripting (XSS) vulnerability within the WAF component of the Sophos XG Firewall operating system (SFOS) has been discovered.
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program. The vulnerability could be used for unauthenticated remote code execution. Our investigations have found no evidence of the vulnerability being exploited.
The following sections are covered:
Applies to the following Sophos products and versions Sophos Firewall
For customers running SFOS version 16 and above that use the default setting of automatic updates, the security update will be automatically installed, and there is no action required.
Customers who have changed their default settings will need to apply the update manually.
Customers who do not have the WAF turned on are not vulnerable but will proactively receive the security update.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.