Surprised there is no 'banner' announcement of this in the community forum (I learnt about it from a third party security mailing list). I've said it before but I will say it again, I think it is a major failing of Sophos not to have a security alert mailing list.
Details here - https://www.sophos.com/en-us/security-advisories/sophos-sa-20220923-sfos-rce
How to check if your XG has been patched - https://support.sophos.com/support/s/article/KB-000044539?language=en_US
Even on the latest version of Sophos Connect. I noticed this happening with 2.1. Don't think I've seen it on 2.2.75.