Turns out that if an attacker can provide some text -- say a phony system name, etc -- that will be logged by the ubiquitous Log4j java library, they can execute arbitrary code. It's used most everywhere so the issue is much larger than Sophos, but...
This thread was automatically locked due to age.