Security Experts:

Connect with us

Hi, what are you looking for?



Critical Vulnerability Allows Hackers to Disrupt SonicWall Firewalls

A significant number of SonicWall firewalls may be affected by a critical vulnerability that can be exploited for denial-of-service (DoS) attacks and possibly arbitrary code execution.

A significant number of SonicWall firewalls may be affected by a critical vulnerability that can be exploited for denial-of-service (DoS) attacks and possibly arbitrary code execution.

The vulnerability, identified as CVE-2020-5135, impacts various versions of SonicOS, the operating system powering SonicWall firewalls. The vendor has credited researchers at Tripwire and Positive Technologies for finding the security bug.

Tripwire discovered the flaw, which it described as a stack-based buffer overflow, in the SonicWall Network Security appliance (NSa), a firewall solution designed for medium size networks. The product also includes VPN capabilities that can be used by organizations to ensure secure remote access for employees.

SonicWall firewall vulnerability

Tripwire explained in a blog post that the vulnerability exists in the HTTP/HTTPS service that is used for device management and VPN access. An unauthenticated attacker can exploit it by sending specially crafted HTTP requests with a custom protocol handler.

While the security hole can definitely be exploited for DoS attacks, Tripwire says arbitrary code execution is “likely feasible” as the company has “confirmed the ability to divert execution flow through stack corruption.”

Even for DoS attacks, the vulnerability can pose a serious threat to organizations as an attacker can leverage it to force a targeted firewall to reboot.

“An attacker can keep the system rebooting by continuously sending the malicious request,” Tripwire’s Craig Young told SecurityWeek. “You could imagine an extortion scheme where someone threatens to keep your VPN workforce offline until you pay them to stop attacking. Particularly during COVID, it could be difficult for the organization to patch a device while under attack as it may require physical device access and prolonged downtime.”

Nikita Abramov, application analysis specialist at Positive Technologies, explained that a DoS attack leads to the “collapse” of the main firewall application, which he says is responsible for all the logic work, including the web interface, command-line interface and other services.

Tripwire said it identified nearly 800,000 exposed SonicWall systems on Shodan, but Young clarified that this list likely also includes devices that are not vulnerable.

Positive Technologies, on the other hand, told SecurityWeek that it identified roughly 460,000 vulnerable devices.

SonicWall has released an advisory that provides information on affected SonicOS versions as well as the availability of updates that should patch CVE-2020-5135.

Positive Technologies has also been credited by SonicWall this week for finding a dozen other vulnerabilities in SonicOS, including several high-severity DoS flaws that can be exploited remotely without authentication to crash a firewall, and less severe DoS, XSS, brute forcing, and admin username enumeration issues.

UPDATE: SonicWall has provided the following statement:

“SonicWall maintains the highest standards to ensure the integrity of its products, solutions, services, technology and any related IP. As such, the company takes every disclosure or discovery seriously.


“SonicWall was contacted by a third-party research team regarding issues related to SonicWall next-generation virtual firewall models (6.5.4v) that could potentially result in Denial-of-Service (DoS) attacks and/or cross-site scripting (XSS) vulnerabilities.


“Immediately upon discovery, SonicWall researchers conducted extensive testing and code review to confirm the third-party research. This analysis lead to the discovery of additional unique vulnerabilities to virtual and hardware appliances requiring Common Vulnerabilities and Exposures (CVE) listings based on the Common Vulnerability Scoring System (CVSS). The PSIRT team worked to duplicate the issues and develop, test and release patches for the affected products. At this time, SonicWall is not aware of a vulnerability that has been exploited or that any customer has been impacted.”

Related: Serious Vulnerabilities Expose SonicWall SMA Appliances to Remote Attacks

Related: IoT Botnets Target Apache Struts, SonicWall GMS

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet