Security Notice: SonicWall GMS SQL Injection Vulnerability

SonicWall Global Management System (GMS) contains a SQL Injection security vulnerability (CVE-2022-22280).

SonicWall PSIRT is not aware of active exploitation in the wild. No reports of a proof of concept (PoC) have been made public, and malicious use of this vulnerability has not been reported to SonicWall.

Impact

CVE-2022-22280 is a critical vulnerability (CVSS 9.4) that results in an Improper Neutralization of Special Elements used in an SQL command in SonicWall GMS.

Workarounds/Temporary Mitigations

There is no workaround available for this vulnerability. However, the likelihood of exploitation may be significantly reduced by incorporating a Web Application Firewall (WAF) to block SQLi attempts.

Resolution

SonicWall PSIRT strongly suggests that organizations using the GMS version outlined below should upgrade to the respective patched version immediately.

Please reference the following deployment guides for guidance on upgrading GMS deployments: 

• SonicWall Global Management System 9.3: Upgrade Guide
  

Please reach out to SonicWall support if you require assistance with the upgrade process.

Resources:

• SNWLID-2022-0007
  
• CVE-2022-22280
  
• SonicWall Global Management System 9.3: Upgrade Guide