SonicWall firewall admins urged to update to prevent devices from being compromised

Network administrators with two models of SonicWall firewalls in their environments are being urged take action to prevent the devices from possibly being compromised.

The warning comes from researchers at Bishop Fox, an Arizona-based cybersecurity company, which says over 178,000 series 6 and series 7 next-generation firewalls could be in danger.

The problem is in unauthenticated denial-of-service vulnerabilities announced last year and in 2022, patches for which have already been issued. No exploitation has been seen in the wild since.

However, the researchers say a proof-of-concept exploit for the 2023 vulnerability has publicly been released.

“Our research found that the two issues are fundamentally the same but exploitable at different HTTP URI paths due to reuse of a vulnerable code pattern,” the researchers said Monday.

SonicWall firewalls at risk are ones with management interfaces exposed to the internet, the report says.

“The impact of a widespread attack could be severe,” say the researchers. “In its default configuration, SonicOS restarts after a crash, but after three crashes in a short period of time it boots into maintenance mode and requires administrative action to restore normal functionality. The latest available firmware protects against both vulnerabilities, so be sure to upgrade immediately (and make sure the management interface isn’t exposed to the internet).

The two vulnerabilities are CVE-2022-22274, an unauthenticated buffer overflow affecting the firewalls’ web management interfaces, and CVE-2023-0656, a stack-based buffer overflow vulnerability in the SonicOS that could allow a remote unauthenticated attacker to cause Denial of Service (DoS), which could then cause an impacted firewall to crash.

Looking into the bugs, the Bishop Fox researchers found that CVE-2022-22274 was caused by the same vulnerable code pattern as  CVE-2023-0656 — but in a different place —  and exploitable at different HTTP URI paths. That makes exploitation easy.

Admins are urged to see if they have an exploitable device. If so, the web management interface should be detached from the internet, after which the firmware should be upgraded to the latest version.

“At this point in time, an attacker can easily cause a denial of service using this exploit,” note the researchers, “but as SonicWall noted in its advisories, a potential for remote code execution exists. While it may be possible to devise an exploit that can execute arbitrary commands, additional research is needed to overcome several challenges …

“Perhaps a bigger challenge for an attacker is determining in advance what firmware and hardware versions a particular target is using, as the exploit must be tailored to these parameters. Since no technique is currently known for remotely fingerprinting SonicWall firewalls, the likelihood of attackers leveraging RCE is, in our estimation, still low. Regardless, taking the appropriate precautions to secure your devices will ensure they don’t fall victim to a potentially painful DoS attack.”

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Related Tech News

Featured Tech Jobs


CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.