important notice

Dear Sophos Resellers & End Users,

We would like to make you aware of a vulnerability affecting the Web Application Firewall (WAF) functionality of Firewall and UTM appliances. We have sent the following email to all affected customers indicating any required actions. Please don’t hesitate to reach out to your account or support representative if you have additional questions.

Security Update for Users of Web Application Firewall (WAF) in SFOS

A security researcher discovered a Cross-site Scripting (XSS) vulnerability within the WAF component of the Sophos Firewall Operating System (SFOS).

The vulnerability, which was responsibly disclosed to Sophos, could be used for unauthenticated remote code execution. Our investigations have found no evidence of the vulnerability being exploited in any Firewall or UTM appliance.

An official security update is available, fully tested, and automatically distributed as follows:

  1. For customers running SFOS version 16 and above that use the default setting of automatic updates, the security update will be automatically installed, and there is no action required. Customers who have changed their default settings will need to apply the update manually.
  2. Customers who do not have the WAF turned on are not vulnerable, but will proactively receive the security update.


SFOS Version Security Update Distributed
Version 16.01 and above
Version 17 (all releases)
December 29, 2017
Version 15 (all releases) Upgrade to current SFOS version

For more information please read the following KBA on our support website:


Regards, InternetNow