SonicWall VPN vulnerability is pretty much as serious as it gets

News
By published

Patch now, SonicWall VPN customers warned

security
(Image credit: Shutterstock / Askobol)

SonicWall has sounded the alarm over a series of security vulnerabilities affecting its VPN hardware, some of which are classified as “critical”.

As noted in an advisory published by the firm, the issues relate to Secure Mobile Access (SMA) 100-series VPN appliances, and could be abused by an unauthenticated user to achieve root-level remote code execution.

The most serious of the vulnerabilities has been awarded a score of 9.8/10 as per the Common Vulnerability Scoring System (CVSS), as a reflection of the opportunity for an attacker to meddle with access privileges and ultimately seize control of the vulnerable VPN device.

“The vulnerability is due to the SonicWall SMA SSLVPN Apache httpd server GET method of mod_cgi module environment variables use a single stack-based buffer using `strcat`. This allows remote attacker to cause Stack-based Buffer Overflow and would result in code execution,” explained SonicWall.

SonicWall VPN vulnerabilities

Discovered by cybersecurity researchers at Rapid7 and NCCGroup, the eight SonicWall VPN vulnerabilities range in severity from medium to critical, and the majority require no form of authentication in order to exploit.

Mercifully, SonicWall says there is no evidence the vulnerabilities have yet been abused in the wild, but the company has “strongly urged” customers to deploy the relevant patches immediately.

“SonicWall has verified and patched vulnerabilities of critical and medium severity in SMA 100 series appliances, which include SMA 200, 210, 400, 410 and 500v products. SMA 100 series appliances with WAF enabled are also impacted by the majority of these vulnerabilities,” wrote the firm.

However, these are not the only security bugs to expose SonicWall customers in recent history. Since the turn of the year, the company has been forced to release a “critical firmware update” to patch a zero-day affecting SMA 100-series devices, and a separate patch for an issue with its email security (ES) products.

In July, meanwhile, the company issued a statement warning customers of a wave of ransomware attacks targeting products running end-of-life, unpatched firmware.

Joel Khalili
Joel Khalili
News and Features Editor

Joel Khalili is the News and Features Editor at TechRadar Pro, covering cybersecurity, data privacy, cloud, AI, blockchain, internet infrastructure, 5G, data storage and computing. He's responsible for curating our news content, as well as commissioning and producing features on the technologies that are transforming the way the world does business.

Read more
Best free Linux firewalls
SonicWall tells admins to patch worrying SSLVPN flaw immediately
Representational image depecting cybersecurity protection
Hackers are breaking SonicWall products to target business networks
A VPN runs on a mobile phone placed on a laptop keyboard
SonicWall firewalls hit by worrying cyberattack
A VPN runs on a mobile phone placed on a laptop keyboard
SonicWall VPN flaw could allow hackers to hijack your sessions, so patch now
vpn
Ivanti warns another critical security flaw is being attacked
An image of network security icons for a network encircling a digital blue earth.
Industrial networks exposed to attack by faulty Moxa devices
Latest in VPN Privacy & Security
Swiss flag with view of Geneva city, Switzerland
Secure encryption and online anonymity are now at risk in Switzerland – here's what you need to know
Demonstrators protesting against the arrest of the Mayor of Istanbul Ekrem Imamoglu block Atatürk Boulevard on March 22, 2025 in Ankara, Türkiye.
Turkey's social media ban has been lifted, but VPN usage is still high
Shape of Russia filled with Russian flag-colored internet codes on a black hacking background
A new wave of blocks in Russia targets VPN apps and Cloudflare subnets
Digital hand set location on map with two pins. AI technology in GPs, innovation delivery, map location, future transport logistic, route path concept. GPs point. New office location, change address
What does your IP address reveal about you?
A stethoscope next to a laptop on a pink background
How to check if your VPN is working
Teenager playing on a gaming PC with two monitors
Is using a VPN while gaming cheating? 5 myths you shouldn't believe about gaming with a VPN
Latest in News
A PC gamer celebrating, sat in a gaming chair in front of a monitor
Windows 11’s Game Bar gets a fresh coat of paint, plus a tweak to work better on handhelds – and I like the direction Microsoft’s heading in here
NHS
NHS IT supplier hit with major fine following ransomware attack
A business woman looking at AI on a transparent screen
Most businesses are now fully embracing AI - but aren't always protected against the risks
The Samsung Galaxy S25 Edge on display the January 22, 2025 Galaxy Unpacked event.
All three rumored Samsung Galaxy S25 Edge colors shown off in ‘official’ images
Cristiano Ronaldo promotional image for Fatal Fury: City of the Wolves
Yes, Cristiano Ronaldo is a playable character in Fatal Fury: City of the Wolves, and it makes more sense than you think
inZOI.
inZOI early access won't feature Denuvo DRM after all, 'we are committed to making inZOI a highly moddable game'
More about vpn privacy security
Swiss flag with view of Geneva city, Switzerland

Secure encryption and online anonymity are now at risk in Switzerland – here's what you need to know
NordVPN CTO Marijus Briedis speaking at a panel during RightsCon 2025 in Taipei, Taiwan, on February 25.

Cyber threats are evolving everywhere – and "prevention alone is insufficient," says NordVPN CTO
Garmin Fenix 8 vs Enduro 3 comparison

Garmin adds premium Garmin Connect+ tier with AI features – but promises your free experience ‘is not going away’
See more latest
Most Popular
Garmin Fenix 8 vs Enduro 3 comparison
Garmin adds premium Garmin Connect+ tier with AI features – but promises your free experience ‘is not going away’
Microsoft Copilot combines the Microsoft 365 apps, Microsoft Graph and Artificial Intelligence. Isolated 3D logo on a surface
Microsoft adds Copilot AI features to Windows 11's Photos app - and I actually don't hate them
NHS
NHS IT supplier hit with major fine following ransomware attack
Nintendo Direct live blog.
Nintendo Direct live build-up: no Switch 2, but these are our predictions for what we could see
A PC gamer celebrating, sat in a gaming chair in front of a monitor
Windows 11’s Game Bar gets a fresh coat of paint, plus a tweak to work better on handhelds – and I like the direction Microsoft’s heading in here
inZOI.
inZOI early access won't feature Denuvo DRM after all, 'we are committed to making inZOI a highly moddable game'
The Samsung Galaxy S25 Edge on display the January 22, 2025 Galaxy Unpacked event.
All three rumored Samsung Galaxy S25 Edge colors shown off in ‘official’ images
Robert Downey Jr sitting in a chair and holding a finger to his lips during Marvel's Avengers: Doomsday cast reveal
'There is always room for more': Marvel drops big hint that it isn't done with its Avengers: Doomsday cast announcements
Cristiano Ronaldo promotional image for Fatal Fury: City of the Wolves
Yes, Cristiano Ronaldo is a playable character in Fatal Fury: City of the Wolves, and it makes more sense than you think
A business woman looking at AI on a transparent screen
Most businesses are now fully embracing AI - but aren't always protected against the risks