Hackers were spotted exploiting a vulnerability on Sophos XG firewalls which lead to the abuse of the firewall configuration, exposing information such as usernames and passwords.
The vulnerability is and SQL Injection Vulnerability and the company issued a hotfix which when applied informs the admins if their devices were compromised before the fix is applied.
WHO IS VULNERABLE?
All devices Physical and Virtual are vulnerable and all supported devices will receive a hotfix (SFOS 17.1, 17.5, 18.0)
“It was designed to download payloads intended to exfiltrate XG Firewall-resident data. The data for any specific firewall depends upon the specific configuration and may include usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access. Passwords associated with external authentication systems such as AD or LDAP are unaffected.
“At this time, there is no indication that the attack accessed anything on the local networks behind any impacted XG Firewall.”
team sophos
