Thousands of SonicWall firewalls have an unpatched management interface exposed on the internet

published: Jan. 15, 2024

Take action: General rule for all systems - the management interface/port should only be visible from trusted networks - not the entire internet. Even if the device is a firewall it doesn't mean that there are no vulnerabilities in it. Make sure your attack surface is minimal, and PATCH REGULARLY.


Learn More

Security researchers are noting a very unfortunate cybersecurity situation - with over 178,000 SonicWall firewalls, specifically Series 6 and 7 models, exposed on the internet and still vulnerable to Denial of Service (DoS) and potential Remote Code Execution (RCE) attacks due to two vulnerabilities, CVE-2022-22274 and CVE-2023-0656.

It's very dissapointing that nearly 200,000 firewalls are exposed with their management interface on the internet and are left unpatched for more than one year.

These vulnerabilities are critical because they can force firewalls into maintenance mode even if remote code execution is not achievable, necessitating administrator intervention and potentially disrupting network security. SonicWall has issued patches for both vulnerabilities

These vulnerabilities, discovered by security researchers at Bishop Fox, affect a large portion of SonicWall devices with exposed management interfaces online.

 

A proof-of-concept (PoC) for CVE-2022-22274 has been developed by SSD Labs and is available online, although SonicWall security experts have not yet seen these vulnerabilities exploited in the wild.

To mitigate these threats, companies are urged to disconnect the management interface of affected firewalls from the public Internet and update to the latest firmware. Bishop Fox has also provided a test script on GitHub to help users identify vulnerabilities in their devices.

Thousands of SonicWall firewalls have an unpatched management interface exposed on the internet