What additional security measure was added for WAN and VPN zone logins, and how does it affect exploitation?

Sophos added CAPTCHA verification for administrators logging into the Sophos XG Firewall management page from WAN and VPN zones. The CAPTCHA logic is implemented in `CSRFCheckFilter.class` (the `validateCaptcha()` and `doFilter()` functions) and `CaptchaHelper.class`. This measure can break exploitation chains that try to bypass authentication from untrusted zones, as the original POC returned a redirection to `/webpages/login.jsp` when CAPTCHA was required.