Hi XG Community!

We've released XG Firewall 17.5 MR12. Initially, the firmware will be available by manual download from the Licensing Portal. We will gradually release the firmware via auto-update to customers.

Please visit the following link for more information regarding the upgrade process: Sophos XG Firewall: How to upgrade the firmware.

Note: The upgrade from version 17.5 MR12 to 18.0 will follow soon.


  • Security Release
  • Fixes SQL injection vulnerability and malicious code execution in XG Firewall/SFOS detailed out in KBA135412

Note: Hotfix referenced in KBA135412 is NOT required for 17.5 MR12 as CVE-2020-12271 has been fixed in this release version.

Issues Resolved

  • NC-59408 [API Framework, UI Framework] SQLi prevention in hybrid request - ORM fields and mode parameters (CVE-2020-12271)
  • NC-58898 [Email] Potential RCE through heap overflow in awarrensmtp (CVE-2020-11503)
  • NC-59300 [Email] Blind pre-auth SQLi in spxd on port 8094
  • NC-59454 [UI Framework] Enable apache access logs


To manually install the upgrade, you can download the firmware from the Licensing Portal. Please refer to Sophos XG Firewall: How to upgrade the firmware.