Easily vulnerable Sonicwall gap: Thousands of devices still unpatched
Since the beginning of January, there has been a patch to close an SSL VPN gap in Sonicwalls. Nevertheless, more than 5000 devices are still vulnerable.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
At the beginning of January, Sonicwall released updates to close a zero-day vulnerability in Sonicwall's SSL VPN and SSH management. The manufacturer warned of possible misuse by attackers. However, as of the middle of last week, more than 5000 Sonicwall appliances are still vulnerable.
IT security researchers at Bishop Fox have investigated the vulnerability and have successfully exploited it to take over access points, for example. “Our current investigation indicates that more than 5000 vulnerable Sonicwall devices are accessible on the Internet,” they write in their analysis. “Although significant reverse engineering efforts were required to find and exploit the vulnerability, the exploit itself was quite trivial,” they add.
Exploit code: Publication of proof-of-concept
The IT researchers also discuss their timetable. As part of a responsible disclosure, they want to publish further details 90 days after notifying the manufacturer. This was the case on November 5, 2024, Sonicwall released updates on January 7, 2025. To give IT managers a full month to update, the company wants to publish the details of the exploit code on February 10.
Videos by heise
As there are still thousands of Sonicwall appliances available on the network that are apparently vulnerable to the vulnerability, admins should update them now as soon as possible. The information may have been lost at the beginning of the year, which is why so many Sonicwall firewalls remain unpatched.
The vulnerabilities in the SSL VPN and SSH management of Sonicwall firewalls became known on January 7. Initially, the manufacturer had only announced updates, but on January 8th they were actually available. Since the end of last week, attackers have also been abusing another vulnerability in the SMA1000, in which they inject system commands (CVE-2025-23006, CVSS 9.8, risk “critical”). Sonicwall has now also published a patch against this vulnerability, which IT managers should apply immediately if they have not already done so.
(dmk)
