Security Notice: SonicWall GMS SQL Injection Vulnerability
Description
SonicWall Global Management System (GMS) contains a SQL Injection security vulnerability (CVE-2022-22280).
SonicWall PSIRT is not aware of active exploitation in the wild. No reports of a proof of concept (PoC) have been made public, and malicious use of this vulnerability has not been reported to SonicWall.
Impact
CVE-2022-22280 is a critical vulnerability (CVSS 9.4) that results in an Improper Neutralization of Special Elements used in an SQL command in SonicWall GMS.
Workarounds/Temporary Mitigations
There is no workaround available for this vulnerability. However, the likelihood of exploitation may be significantly reduced by incorporating a Web Application Firewall (WAF) to block SQLi attempts.
Resolution
SonicWall PSIRT strongly suggests that organizations using the GMS version outlined below should upgrade to the respective patched version immediately.
| AFFECTED VERSION | PATCHED VERSION | ADVISORIES |
|
|
|
Please reference the following deployment guides for guidance on upgrading GMS deployments:
Please reach out to SonicWall support if you require assistance with the upgrade process.
