Cybersecurity firm Sophos has released an emergency security update to patch a zero-day vulnerability in its XG enterprise firewall product that hackers exploited in the wild.
According to a ZDNet report, after receiving a report from one of its customers, Sophos learned of the zero-day on April 22. The customer reported after finding a suspicious field value visible in the management interface.
After investigating the report, the company determined this was an active attack and not an error in its product.
“The attack used a previously unknown SQL injection vulnerability to gain access to exposed XG devices. They used the SQL injection vulnerability to download a payload on the device. This payload then stole files from the XG Firewall,” the company said in a security advisory.
Hackers targeted Sophos XG Firewall devices that had their administration or the User Portal control panel exposed on the internet.
Sophos said that passwords for customers’ other external authentication systems, such as AD or LDAP, were unaffected.
The company said that it has not found any evidence that hackers used the stolen passwords to access XG Firewall devices.
However, the company has already pushed an automatic update to patch all XG Firewalls that have the auto-update feature enabled.
“This hotfix eliminated the SQL injection vulnerability which prevented further exploitation, stopped the XG Firewall from accessing any attacker infrastructure, and cleaned up any remnants from the attack,” it said.