Vulnerabilities

SonicWall Patches Critical Vulnerabilities in GMS, Analytics Products

SonicWall patches four critical-severity vulnerabilities in its Global Management System (GMS) and Analytics products.

SonicWall patches four critical-severity vulnerabilities in its Global Management System (GMS) and Analytics products.

SonicWall on Wednesday announced patches for 15 vulnerabilities in its Global Management System (GMS) and Analytics products, including four critical-severity issues.

GMS is a web-based application for the management and monitoring of SonicWall firewall appliances, while Analytics is a management and reporting engine.

The four critical-severity bugs addressed this week could be exploited to bypass authentication, potentially leading to the exposure of sensitive information.

Two of the flaws, tracked as CVE-2023-34133 and CVE-2023-34134 (CVSS score of 9.8), are described as unauthenticated SQL injection and password hash exposure issues, respectively.

The remaining two, CVE-2023-34124 and CVE-2023-34137 (CVSS score of 9.4), are described as a web service authentication bypass and a CAS authentication bypass, respectively.

Of the remaining flaws, four are high-severity vulnerabilities, while the other seven have a severity rating of ‘medium’.

Advertisement. Scroll to continue reading.

“The suite of vulnerabilities allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself is able to access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application’s content or behavior,” SonicWall notes in an advisory.

All 15 flaws were patched in GMS version 9.3.3 and Analytics version 2.5.2.

SonicWall, which has credited NCC Group for reporting these flaws, says there are no workarounds available for any of them. Organizations using GMS and Analytics are advised to update to a patched release as soon as possible.

The company also notes that it is not aware of any of these vulnerabilities being exploited in the wild, nor of proof-of-concept (PoC) exploits being made public. However, bugs in SonicWall appliances have been exploited in malicious attacks before.

Related: Custom Chinese Malware Found on SonicWall Appliance

Related: SonicWall Warns of Critical GMS SQL Injection Vulnerability

Related: SonicWall Patches Unauthorized Access Vulnerability in SMA Appliances

Related Content

Vulnerabilities

The bugs could be exploited to bypass security controls, access restricted services, and crash firewalls.

Vulnerabilities

The bugs could allow attackers to modify protected resources and escalate their privileges to administrator.

Vulnerabilities

The medium-severity flaw has been exploited in combination with a critical bug for remote code execution.

Vulnerabilities

The vulnerabilities could be exploited to cause a denial-of-service (DoS) condition, execute arbitrary code, or access arbitrary files and directories.

Nation-State

The threat actor stole the firewall configuration files of all SonicWall customers who used the cloud backup service.

Malware & Threats

Threat actors have rapidly compromised more than 100 SonicWall SSL VPN accounts pertaining to over a dozen entities.

Network Security

In early September, hackers stole the firewall configuration backup files stored using the MySonicWall service.

Ransomware

In one attack, the hackers leveraged the Datto RMM utility on a domain controller and various other legitimate tools to evade detection.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version