SOPHOS ALERT: Change your XG Firewall admin password (KBA135412)
On April 24, 2020, Sophos published knowledge base article KBA135412 which included necessary remediation steps to address vulnerability CVE-2020-12271.
Sophos is enforcing a password reset for the XG administrator and all other local administrator accounts that have not reset passwords since the security hotfix was applied at 2200 UTC on April 25, 2020. Where required, administrative accounts will be prompted to change passwords upon logging into an XG Firewall. The instructions for resetting a forgotten administrator password can be found in KBA123732.
For some configurations, additional remediation actions are required as contained in KBA135412.