On 24th April 2020, Sophos (a British security software and hardware company) reported to the NCSC that they had identified a significant cyber incident resulting in an unknown actor exploiting a previously unknown vulnerability.

This exploitation creates a risk of compromised credentials or potentially gaining unauthorised access to customers utilising the  Sophos XG Firewall systems. The XG Firewall product is used by a range of statutory and commercial organisations across the UK and globally.  NCSC are managing the coordinated incident response and NCA (NCCU) are seeking to coordinate  the international law enforcement response.


  • Sophos have developed a hotfix to address the vulnerability and have been deploying this to devices that have automatic patching enabled. The company have also proactively informed affected users.
  • Sophos publicly announced the vulnerability and attack via their Knowledge Base platform: https://community.sophos.com/kb/en-us/135412
  • Sophos have also followed up with additional information which is now being publicly reported: https://news.sophos.com/en-us/2020/04/26/asnarok/
  • Whilst the incident is still being investigated the potential to exfil credentials including  (encrypted) passwords from user of these devices does highlight the need to consider changing passwords for any affected users. Current password guidance is available at:  https://www.ncsc.gov.uk/collection/passwords