Connect with us

Hi, what are you looking for?



180k Internet-Exposed SonicWall Firewalls Vulnerable to DoS Attacks, Possibly RCE

Two DoS vulnerabilities patched in 2022 and 2023 haunt nearly 180,000 internet-exposed SonicWall firewalls.

The majority of internet-exposed SonicWall next-generation firewall series 6 and 7 devices have not been patched against two potentially serious vulnerabilities, cybersecurity firm Bishop Fox reports.

The issues, tracked as CVE-2022-22274 and CVE-2023-0656 and rated critical- and high-severity, respectively, can be exploited remotely, without authentication. An attacker can use them to cause a denial-of-service (DoS) condition, but remote code execution (RCE) has not been ruled out either. SonicWall released patches for them in March 2022 and March 2023.

According to Bishop Fox, the two flaws are essentially the same, “but exploitable at different HTTP URI paths due to reuse of a vulnerable code pattern.”

Scanning the internet for vulnerable devices, the cybersecurity firm discovered that more than 178,000 of the SonicWall firewalls that have a publicly accessible web management interface are vulnerable to at least one of the security defects.

“The impact of a widespread attack could be severe. In its default configuration, SonicOS restarts after a crash, but after three crashes in a short period of time it boots into maintenance mode and requires administrative action to restore normal functionality,” Bishop Fox notes.

In its advisories, SonicWall notes that it is not aware of active exploitation of any of these vulnerabilities and that it has received no reports of proof-of-concept (PoC) exploit code being published for them.

However, PoC code targeting CVE-2023-0656 has been public since April 2023, when SSD Labs published it along with technical details on the bug.

By analyzing the root cause of these vulnerabilities, Bishop Fox identified a link between them and was able to create new PoC exploits for both. The exploit for CVE-2023-0656, the firm says, is similar to what SSD Labs published almost a year ago.

Advertisement. Scroll to continue reading.

“To our knowledge, no previous research has been published establishing a link between CVE-2022-22274 and CVE-2023-0656. Clearly, both vulnerabilities share the same underlying bug, but the initial patch only fixed the vulnerable code in one place, leaving the other instances to be found and reported a year later,” BishopFox says.

After developing the PoCs, the cybersecurity firm started looking for vulnerable devices accessible from the internet, and discovered that more than 146,000 firewalls remain unpatched against CVE-2022-22274, and that 178,000 are not patched against CVE-2023-0656.

In fact, almost all 146,000 vulnerable SonicWall firewalls are missing patches for both vulnerabilities. With CVE-2022-22274 also exploitable for remote code execution (RCE), these devices are potentially at risk of more than just DoS.

SonicWall customers are advised to apply the available patches as soon as possible. Vulnerabilities in SonicWall firewalls are known to have been exploited in malicious attacks.

Related: Five Eyes Agencies Call Attention to Most Frequently Exploited Vulnerabilities

Related: SonicWall Patches Critical Vulnerabilities in GMS, Analytics Products

Related: Custom Chinese Malware Found on SonicWall Appliance

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.