Security Notice: SonicWall GMS SQL Injection Vulnerability

First Published:07/21/2022 Last Updated:07/21/2022


SonicWall Global Management System (GMS) contains a SQL Injection security vulnerability (CVE-2022-22280).

SonicWall PSIRT is not aware of active exploitation in the wild. No reports of a proof of concept (PoC) have been made public, and malicious use of this vulnerability has not been reported to SonicWall.

Impact

CVE-2022-22280 is a critical vulnerability (CVSS 9.4) that results in an Improper Neutralization of Special Elements used in an SQL command in SonicWall GMS.

Workarounds/Temporary Mitigations

There is no workaround available for this vulnerability. However, the likelihood of exploitation may be significantly reduced by incorporating a Web Application Firewall (WAF) to block SQLi attempts.

Resolution

SonicWall PSIRT strongly suggests that organizations using the GMS version outlined below should upgrade to the respective patched version immediately.

AFFECTED VERSIONPATCHED VERSIONADVISORIES
  • GMS 9.3.1-SP2-Hotfix-1 and earlier
  • GMS 9.3.1-SP2-Hotfix-2



Please reference the following deployment guides for guidance on upgrading GMS deployments: 

Please reach out to SonicWall support if you require assistance with the upgrade process.

Resources: