Sophos has issued a hotfix for its XG Firewall to patch a zero-day exploit that was being actively exploited by hackers.

According to Sophos, the firm was first made aware of the issue on April 22 by a customer who noticed “a suspicious field value visible in the management interface.” After investigating, Sophos determined the value was not a bug, but indicative of an attack against both physical and virtual XG Firewall units.

“The attack used a previously unknown pre-auth SQL injection vulnerability to gain access to exposed XG devices,” reads the security bulletin. “It was designed to exfiltrate XG Firewall-resident data. Customers with impacted firewalls should remediate to avoid the possibility that any data was compromised. The data exfiltrated for any impacted firewall includes all local usernames and hashed passwords of any local user accounts. For example, this includes local device admins, user portal accounts, and accounts used for remote access. Passwords associated with external authentication systems such as Active Directory (AD) or LDAP were not compromised.”

Because Sophos issued a hotfix for the vulnerability, a message should display on the XG management interface informing customers if their units were impacted. Uncompromised customers do not need to take any additional action, while compromised customers are encouraged to reset device administrator accounts, reboot the devices and reset passwords for local user accounts. If users had reused their XG passwords anywhere else, those should also be reset.