Security News > 2020 > October > Critical SonicWall VPN Portal Bug Allows DoS, Worming RCE
2020-10-14 18:43
UPDATE. A critical security bug in the SonicWall VPN portal can be used to crash the device and prevent users from connecting to corporate resources.
"The most notable aspect of this vulnerability is that the VPN portal can be exploited without knowing a username or password," Young told Threatpost.
SonicWall has issued a patch; SSL VPN portals may be disconnected from the internet as a temporary mitigation before the patch is applied.
CVE-2020-5142 allows an unauthenticated attacker to inject JavaScript code in the firewall SSL-VPN portal.
Several vulnerabilities open a path to DoS attacks and can be used even by an unauthenticated attacker.
News URL
https://threatpost.com/critical-sonicwall-vpn-bug/160108/
Related news
- Critical RCE Flaw in GFI KerioControl Allows Remote Code Execution via CRLF Injection (source)
- Hackers exploit critical Aviatrix Controller RCE flaw in attacks (source)
- Critical SimpleHelp Flaws Allow File Theft, Privilege Escalation, and RCE Attacks (source)
- Critical Flaws in WGS-804HPT Switches Enable RCE and Network Exploitation (source)
- SonicWall Urges Immediate Patch for Critical CVE-2025-23006 Flaw Amid Likely Exploitation (source)
- SonicWall warns of SMA1000 RCE flaw exploited in zero-day attacks (source)
- SonicWall flags critical bug likely exploited as zero-day, rolls out hotfix (source)
- Critical RCE bug in Microsoft Outlook now exploited in attacks (source)
- SonicWall firewall exploit lets hackers hijack VPN sessions, patch now (source)
- SonicWall firewalls now under attack: Patch ASAP or risk intrusion via your SSL VPN (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-10-12 | CVE-2020-5142 | Cross-site Scripting vulnerability in Sonicwall Sonicos and Sonicosv A stored cross-site scripting (XSS) vulnerability exists in the SonicOS SSLVPN web interface. | 6.1 |