SonicWall Sonicos

SonicOS SSLVPN Buffer Overflow Remote Unauth DoS
CVE-2025-40601 7.5 - High - November 20, 2025

A Stack-based buffer overflow vulnerability in the SonicOS SSLVPN service allows a remote unauthenticated attacker to cause Denial of Service (DoS), which could cause an impacted firewall to crash.

Stack Overflow

SonicOS SSL VPN Format String Causing DoS
CVE-2025-40600 - July 29, 2025

Use of Externally-Controlled Format String vulnerability in the SonicOS SSL VPN interface allows a remote unauthenticated attacker to cause service disruption.

Use of Externally-Controlled Format String

SonicOS SSLVPN Virtual Office NPE in SSLVPN Interface allows Remote DoS
CVE-2025-32818 - April 23, 2025

A Null Pointer Dereference vulnerability in the SonicOS SSLVPN Virtual office interface allows a remote, unauthenticated attacker to crash the firewall, potentially leading to a Denial-of-Service (DoS) condition.

NULL Pointer Dereference

Integer Overflow in SonicOS IPSec (IKEv2) Remote DoS/Exec
CVE-2024-40765 - January 09, 2025

An Integer-based buffer overflow vulnerability in the SonicOS via IPSec allows a remote attacker in specific conditions to cause Denial of Service (DoS) and potentially execute arbitrary code by sending a specially crafted IKEv2 payload.

Integer Overflow or Wraparound

SonicOS Admin Absolute Path Traversal Enables Post-Auth File Read
CVE-2024-12806 - January 09, 2025

A post-authentication absolute path traversal vulnerability in SonicOS management allows a remote attacker to read an arbitrary file.

Path Traversal: '/absolute/pathname/here'

SonicOS Post-Auth Format String Vulnerability Enables Crash & RCE
CVE-2024-12805 - January 09, 2025

A post-authentication format string vulnerability in SonicOS management allows a remote attacker to crash a firewall and potentially leads to code execution.

Use of Externally-Controlled Format String

SonicOS CLI Buffer Overflow Enables Remote Crash
CVE-2024-12803 - January 09, 2025

A post-authentication stack-based buffer overflow vulnerability in SonicOS management allows a remote attacker to crash a firewall and potentially leads to code execution.

Stack Overflow

SSRF in SonicOS SSH Mgmt Enables Remote TCP Connections
CVE-2024-53705 - January 09, 2025

A Server-Side Request Forgery vulnerability in the SonicOS SSH management interface allows a remote attacker to establish a TCP connection to an IP address on any port when the user is logged in to the firewall.

SSRF

Improper Auth in SSLVPN auth bypass vulnerability
CVE-2024-53704 8.2 - High - January 09, 2025

An Improper Authentication vulnerability in the SSLVPN authentication mechanism allows a remote attacker to bypass authentication.

authentification

SonicWall SonicOS 7.0.1-5035 MM Access Control Vulnerability
CVE-2024-40766 9.3 - Critical - August 23, 2024

An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash. This issue affects SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions.

Authorization

SonicOS IPSec VPN Heap Overflow DoS
CVE-2024-40764 7.5 - High - July 18, 2024

Heap-based buffer overflow vulnerability in the SonicOS IPSec VPN allows an unauthenticated remote attacker to cause Denial of Service (DoS).

Memory Corruption

RADIUS MD5 Response Authenticator Forgery via Chosen-Prefix Collision
CVE-2024-3596 9 - Critical - July 09, 2024

RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature.

Heap BOverflow in SonicOS SSLVPN memcpy Causing DoS
CVE-2024-29013 6.5 - Medium - June 20, 2024

Heap-based buffer overflow vulnerability in the SonicOS SSL-VPN allows an authenticated remote attacker to cause Denial of Service (DoS) via memcpy function.

Memory Corruption

SonicOS HTTP Server Stack Overflow Causing DoS (CVE-2024-29012)
CVE-2024-29012 7.5 - High - June 20, 2024

Stack-based buffer overflow vulnerability in the SonicOS HTTP server allows an authenticated remote attacker to cause Denial of Service (DoS) via sscanf function.

Memory Corruption

SonicOS SSLVPN Portal XSS for Authenticated Admin Users
CVE-2024-22397 - March 14, 2024

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in the SonicOS SSLVPN portal allows a remote authenticated attacker as a firewall 'admin' user to store and execute arbitrary JavaScript code.

XSS

SonicOS IPSec IKEv2 Int Buffer Overflow
CVE-2024-22396 - March 14, 2024

An Integer-based buffer overflow vulnerability in the SonicOS via IPSec allows a remote attacker in specific conditions to cause Denial of Service (DoS) and potentially execute arbitrary code by sending a specially crafted IKEv2 payload.

Integer Overflow or Wraparound

Improper Auth Bypass in SonicWall SonicOS 7.1.1-7040 SSL-VPN
CVE-2024-22394 9.8 - Critical - February 08, 2024

An improper authentication vulnerability has been identified in SonicWall SonicOS SSL-VPN feature, which in specific conditions could allow a remote attacker to bypass authentication.  This issue affects only firmware version SonicOS 7.1.1-7040.

authentification

SonicOS SSLVPN Tunnel PostAuth Privilege Escalation
CVE-2023-41715 8.8 - High - October 17, 2023

SonicOS post-authentication Improper Privilege Management vulnerability in the SonicOS SSL VPN Tunnel allows users to elevate their privileges inside the tunnel.

Improper Privilege Management

SonicOS Hard-coded Password in dynHandleBuyToolbar Demo
CVE-2023-41713 7.5 - High - October 17, 2023

SonicOS Use of Hard-coded Password vulnerability in the 'dynHandleBuyToolbar' demo function.

Use of Hard-coded Credentials

SonicOS SSL VPN Buffer Overflow CVE-2023-41712
CVE-2023-41712 6.5 - Medium - October 17, 2023

SonicOS post-authentication Stack-Based Buffer Overflow Vulnerability in the SSL VPN plainprefs.exp URL endpoint leads to a firewall crash.

Memory Corruption

SonicOS sonicwall.exp/Prefs.exp PostAuth Stack Overflow (CVE202341711)
CVE-2023-41711 6.5 - Medium - October 17, 2023

SonicOS post-authentication Stack-Based Buffer Overflow Vulnerability in the sonicwall.exp, prefs.exp URL endpoints lead to a firewall crash.

Memory Corruption

SonicOS POST Auth Stack Buffer Overflow in ssoStats-s.xml/wri
CVE-2023-39280 6.5 - Medium - October 17, 2023

SonicOS p ost-authentication Stack-Based Buffer Overflow vulnerability in the ssoStats-s.xml, ssoStats-s.wri URL endpoints leads to a firewall crash.

Memory Corruption

SonicOS getPacketReplayData.JSON SB-Buffer Overflow Crashes Firewall
CVE-2023-39279 6.5 - Medium - October 17, 2023

SonicOS post-authentication Stack-Based Buffer Overflow vulnerability in the getPacketReplayData.json URL endpoint leads to a firewall crash.

Memory Corruption

SonicOS main.cgi Stack-Based Buffer Overflow via Post-Auth Assertion Failure
CVE-2023-39278 6.5 - Medium - October 17, 2023

SonicOS post-authentication user assertion failure leads to Stack-Based Buffer Overflow vulnerability via main.cgi leads to a firewall crash.

Memory Corruption

SonicOS Buffer Overflow in sonicflow.csv causes firewall crash
CVE-2023-39277 6.5 - Medium - October 17, 2023

SonicOS post-authentication stack-based buffer overflow vulnerability in the sonicflow.csv and appflowsessions.csv URL endpoints leads to a firewall crash.

Memory Corruption

SonicWall SonicOS buffer overflow in getBookmarkList.json
CVE-2023-39276 6.5 - Medium - October 17, 2023

SonicOS post-authentication stack-based buffer overflow vulnerability in the getBookmarkList.json URL endpoint leads to a firewall crash.

Memory Corruption

SonicOS SSLVPN Improper MFA Restriction Allows Authenticated Attack
CVE-2023-1101 8.8 - High - March 02, 2023

SonicOS SSLVPN improper restriction of excessive MFA attempts vulnerability allows an authenticated attacker to use excessive MFA codes.

Improper Restriction of Excessive Authentication Attempts

Stack Buffer Overflow in SonicOS Firewall Remote DoS
CVE-2023-0656 7.5 - High - March 02, 2023

A Stack-based buffer overflow vulnerability in the SonicOS allows a remote unauthenticated attacker to cause Denial of Service (DoS), which could cause an impacted firewall to crash.

Memory Corruption

A vulnerability in SonicOS where the HTTP server response leaks partial memory by sending a crafted HTTP request, this
CVE-2021-20019 7.5 - High - June 23, 2021

A vulnerability in SonicOS where the HTTP server response leaks partial memory by sending a crafted HTTP request, this can potentially lead to an internal sensitive data disclosure vulnerability.

Buffer Overflow

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client
CVE-2021-3449 5.9 - Medium - March 25, 2021

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).

NULL Pointer Dereference

The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain
CVE-2021-3450 7.4 - High - March 25, 2021

The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).

Improper Certificate Validation

A vulnerability in SonicOS allows a remote unauthenticated attacker to brute force Virtual Assist ticket ID in the firewall SSLVPN service
CVE-2020-5141 6.5 - Medium - October 12, 2020

A vulnerability in SonicOS allows a remote unauthenticated attacker to brute force Virtual Assist ticket ID in the firewall SSLVPN service. This vulnerability affected SonicOS Gen 5 version 5.9.1.7, 5.9.1.13, Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v and Gen 7 version SonicOS 7.0.0.0.

Improper Restriction of Excessive Authentication Attempts

A vulnerability in SonicOS
CVE-2020-5133 7.5 - High - October 12, 2020

A vulnerability in SonicOS allows a remote unauthenticated attacker to cause Denial of Service due to buffer overflow, which leads to a firewall crash. This vulnerability affected SonicOS Gen 6 version 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v and Gen 7 version 7.0.0.0.

Classic Buffer Overflow

A vulnerability in SonicOS allows an authenticated attacker to cause out-of-bound invalid file reference leads to a firewall crash
CVE-2020-5134 6.5 - Medium - October 12, 2020

A vulnerability in SonicOS allows an authenticated attacker to cause out-of-bound invalid file reference leads to a firewall crash. This vulnerability affected SonicOS Gen 6 version 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v and Gen 7 version 7.0.0.0.

Out-of-bounds Read

A buffer overflow vulnerability in SonicOS
CVE-2020-5135 9.8 - Critical - October 12, 2020

A buffer overflow vulnerability in SonicOS allows a remote attacker to cause Denial of Service (DoS) and potentially execute arbitrary code by sending a malicious request to the firewall. This vulnerability affected SonicOS Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v and Gen 7 version 7.0.0.0.

Classic Buffer Overflow

A buffer overflow vulnerability in SonicOS
CVE-2020-5136 6.5 - Medium - October 12, 2020

A buffer overflow vulnerability in SonicOS allows an authenticated attacker to cause Denial of Service (DoS) in the SSL-VPN and virtual assist portal, which leads to a firewall crash. This vulnerability affected SonicOS Gen 5 version 5.9.1.7, 5.9.1.13, Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v and Gen 7 version 7.0.0.0.

Classic Buffer Overflow

A buffer overflow vulnerability in SonicOS
CVE-2020-5137 7.5 - High - October 12, 2020

A buffer overflow vulnerability in SonicOS allows a remote unauthenticated attacker to cause Denial of Service (DoS) on the firewall SSLVPN service and leads to firewall crash. This vulnerability affected SonicOS Gen 5 version 5.9.1.7, 5.9.1.13, Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v and Gen 7 version 7.0.0.0.

Classic Buffer Overflow

A Heap Overflow vulnerability in the SonicOS
CVE-2020-5138 7.5 - High - October 12, 2020

A Heap Overflow vulnerability in the SonicOS allows a remote unauthenticated attacker to cause Denial of Service (DoS) on the firewall SSLVPN service and leads to SonicOS crash. This vulnerability affected SonicOS Gen 5 version 5.9.1.7, 5.9.1.13, Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v and Gen 7 version SonicOS 7.0.0.0.

Memory Corruption

A vulnerability in SonicOS SSLVPN service
CVE-2020-5139 7.5 - High - October 12, 2020

A vulnerability in SonicOS SSLVPN service allows a remote unauthenticated attacker to cause Denial of Service (DoS) due to the release of Invalid pointer and leads to a firewall crash. This vulnerability affected SonicOS Gen 5 version 5.9.1.7, 5.9.1.13, Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v and Gen 7 version SonicOS 7.0.0.0.

Release of Invalid Pointer or Reference

A vulnerability in SonicOS allows a remote unauthenticated attacker to cause Denial of Service (DoS) on the firewall SSLVPN service by sending a malicious HTTP request
CVE-2020-5140 7.5 - High - October 12, 2020

A vulnerability in SonicOS allows a remote unauthenticated attacker to cause Denial of Service (DoS) on the firewall SSLVPN service by sending a malicious HTTP request that leads to memory addresses leak. This vulnerability affected SonicOS Gen 5 version 5.9.1.7, 5.9.1.13, Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v and Gen 7 version SonicOS 7.0.0.0.

Out-of-bounds Read

A stored cross-site scripting (XSS) vulnerability exists in the SonicOS SSLVPN web interface
CVE-2020-5142 6.1 - Medium - October 12, 2020

A stored cross-site scripting (XSS) vulnerability exists in the SonicOS SSLVPN web interface. A remote unauthenticated attacker is able to store and potentially execute arbitrary JavaScript code in the firewall SSLVPN portal. This vulnerability affected SonicOS Gen 5 version 5.9.1.7, 5.9.1.13, Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v and Gen 7 version SonicOS 7.0.0.0.

XSS

SonicOS SSLVPN login page
CVE-2020-5143 5.3 - Medium - October 12, 2020

SonicOS SSLVPN login page allows a remote unauthenticated attacker to perform firewall management administrator username enumeration based on the server responses. This vulnerability affected SonicOS Gen 5 version 5.9.1.7, 5.9.1.13, Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v and Gen 7 version SonicOS 7.0.0.0.

Side Channel Attack

SonicWall SSL-VPN products and SonicWall firewall SSL-VPN feature misconfiguration leads to possible DNS flaw known as domain name collision vulnerability
CVE-2020-5132 5.3 - Medium - September 30, 2020

SonicWall SSL-VPN products and SonicWall firewall SSL-VPN feature misconfiguration leads to possible DNS flaw known as domain name collision vulnerability. When the users publicly display their organizations internal domain names in the SSL-VPN authentication page, an attacker with knowledge of internal domain names can potentially take advantage of this vulnerability.

SonicOS SSLVPN LDAP login request
CVE-2020-5130 5.3 - Medium - July 17, 2020

SonicOS SSLVPN LDAP login request allows remote attackers to cause external service interaction (DNS) due to improper validation of the request. This vulnerability impact SonicOS version 6.5.4.4-44n and earlier.

Improper Input Validation

A vulnerability in SonicOS allow authenticated read-only admin can elevate permissions to configuration mode
CVE-2019-7479 7.2 - High - December 31, 2019

A vulnerability in SonicOS allow authenticated read-only admin can elevate permissions to configuration mode. This vulnerability affected SonicOS Gen 5 version 5.9.1.12-4o and earlier, Gen 6 version 6.2.7.4-32n, 6.5.1.4-4n, 6.5.2.3-4n, 6.5.3.3-3n, 6.2.7.10-3n, 6.4.1.0-3n, 6.5.3.3-3n, 6.5.1.9-4n and SonicOSv 6.5.0.2-8v_RC363 (VMWARE), 6.5.0.2.8v_RC367 (AZURE), SonicOSv 6.5.0.2.8v_RC368 (AWS), SonicOSv 6.5.0.2.8v_RC366 (HYPER_V).

authentification

Installation of the SonicOS SSLVPN NACagent 3.5 on the Windows operating system, an autorun value is created does not put the path in quotes, so if a malicious binary by an attacker within the parent path could
CVE-2019-7487 7.8 - High - December 19, 2019

Installation of the SonicOS SSLVPN NACagent 3.5 on the Windows operating system, an autorun value is created does not put the path in quotes, so if a malicious binary by an attacker within the parent path could allow code execution.

Unquoted Search Path or Element

Wind River VxWorks 6.9 and vx7 has a Buffer Overflow in the TCP component (issue 2 of 4)
CVE-2019-12260 9.8 - Critical - August 09, 2019

Wind River VxWorks 6.9 and vx7 has a Buffer Overflow in the TCP component (issue 2 of 4). This is an IPNET security vulnerability: TCP Urgent Pointer state confusion caused by a malformed TCP AO option.

Classic Buffer Overflow

Wind River VxWorks 6.7 though 6.9 and vx7 has a Buffer Overflow in the TCP component (issue 3 of 4)
CVE-2019-12261 9.8 - Critical - August 09, 2019

Wind River VxWorks 6.7 though 6.9 and vx7 has a Buffer Overflow in the TCP component (issue 3 of 4). This is an IPNET security vulnerability: TCP Urgent Pointer state confusion during connect() to a remote host.

Classic Buffer Overflow

Wind River VxWorks has a Buffer Overflow in the TCP component (issue 1 of 4)
CVE-2019-12255 9.8 - Critical - August 09, 2019

Wind River VxWorks has a Buffer Overflow in the TCP component (issue 1 of 4). This is a IPNET security vulnerability: TCP Urgent Pointer = 0 that leads to an integer underflow.

Classic Buffer Overflow

Wind River VxWorks 6.6 through vx7 has Session Fixation in the TCP component
CVE-2019-12258 7.5 - High - August 09, 2019

Wind River VxWorks 6.6 through vx7 has Session Fixation in the TCP component. This is a IPNET security vulnerability: DoS of TCP connection via malformed TCP options.

Session Fixation