Sophos continually investigates product security in order to close any potential risks to our customers. As a result, we have identified a subset of XG Firewalls with local users that require a password reset. For users signing in to the XG Firewall via the LAN or VPN connection (except clientless VPN), there is no action required. For local and guest users that have not reset their password since 2200 UTC on April 25, 2020, they will be blocked from signing in to the User Portal on the WAN until their password is reset (including those using bookmarks via clientless access VPN). Local user and guest accounts are defined as user accounts created and authenticated on the XG Firewall.
Note: User accounts created and authenticated with directory services like Active Directory (AD) and LDAP are not affected, and no action is required.
For rare cases, where local and guest users are blocked from signing in to the User Portal on the WAN (or clientless access VPN), even though they have reset their password since 2200 UTC on April 25, 2020, we are providing the ability to override this block. We are also providing relevant commands for administrators to identify and take action on locally defined user accounts who require changes.
For more info, please visit the following KBA: https://community.sophos.com/kb/en-us/135493