What exactly does compromised mean regarding this hotfix. Does this mean that Sophos checked if Admin service and / or User Portal where allowed on the WAN port(s), or that Sophos found that the vulnerability was exploided on the XG Firewall?
My answer is not an official answer but I think I can help you a bit. I have 46 XG Firewalls, and only 9 received the "Hotfix applied for SQL injection and partially cleaned" message. The 37 other firewalls received the "Hotfix applied for SQL injection . Your device was NOT compromised" message.
100% of the 46 firewalls were not accessible from WAN on the Admin service, but only with User Portal. The 9 "compromised" were configured to use the 8443 https port for User Portal, and the 37 other firewalls another port.
So 100% of my firewalls had User Portal accessible from WAN, but only 9 received the "partially cleaned" message from Sophos. So, in my opinion, Sophos analyzed the xg firewalls and found that the vulnerability was exploited.
XG Certified Engineer
Sophos Gold Partner - Reseller from Lyon, France