Sophos just posted this on saturday 25/4-2020:
Sophos received a report on April 22, 2020, at 20:29 UTC regarding an XG Firewall with a suspicious field value visible in the management interface. Sophos commenced an investigation and the incident was determined to be an attack against physical and virtual XG Firewall units. The attack affected systems configured with either the administration interface (HTTPS admin service) or the user portal exposed on the WAN zone. In addition, firewalls manually configured to expose a firewall service (e.g. SSL VPN) to the WAN zone that shares the same port as the admin or User Portal were also affected. For reference, the default configuration of XG Firewall is that all services operate on unique ports.
The attack used a previously unknown pre-auth SQL injection vulnerability to gain access to exposed XG devices. It was designed to exfiltrate XG Firewall-resident data. Customers with impacted firewalls should assume the data was compromised. The data exfiltrated for any impacted firewall includes all local usernames and hashed passwords of any local user accounts. For example, this includes local device admins, user portal accounts, and accounts used for remote access. Passwords associated with external authentication systems such as Active Directory (AD) or LDAP were not compromised.
What firmware versions of XG Firewall (SFOS) were impacted?
The vulnerability affected all versions of XG Firewall firmware on both physical and virtual firewalls. All supported versions of the XG Firewall firmware / SFOS received the hotfix (SFOS 17.0, 17.1, 17.5, 18.0). Customers using older versions of SFOS can protect themselves by upgrading to a supported version immediately.