A critical security advisory SNWLID-2026-0004 disclosing three newly identified vulnerabilities in SonicOS, the operating system powering its entire firewall lineup.
Organizations running Gen6, Gen7, and Gen8 SonicWall firewalls are urged to apply patches immediately, as two of the three flaws carry high to medium severity ratings and require no prior privileges to initiate the attack chain.
SonicWall’s advisory bundles three distinct flaws under a single advisory identifier, each carrying a different severity and attack surface. Although no public exploits are currently known, the low attack complexity across multiple CVEs makes these vulnerabilities highly attractive to opportunistic attackers and sophisticated threat actors alike.
CVE-2026-0204 – Improper Access Control
The most critical flaw of the trio, CVE-2026-0204, Weak Authentication and carries a CVSS v3 score of 8.0.The vulnerability exists within SonicOS’s access control mechanism, allowing certain management interface functions to become accessible under specific conditions without requiring prior authentication from an attacker positioned on an adjacent network.
Business impact is severe: successful exploitation can hand an attacker full administrative control over the firewall, enabling them to alter firewall policies, open backdoors, or exfiltrate sensitive credentials. The CVSS vector AV:A/AC:L/Pa R:N/Uimpact on I:R/S:U/C:H/I:H/A:H confirms high confidentiality, integrity, and availability.
CVE-2026-0205 – Post-Authentication Path Traversal
CVE-2026-0205 is a post-authentication path traversal vulnerability (CWE-35) with a CVSS score on 6.8. An authenticated attacker on the adjacent network can exploit this flaw to traverse directory paths and interact with normally restricted services within the SonicOS environment.
While exploitation requires the attacker to hold credentials already, this does not diminish the risk, especially in environments where credential theft or phishing attacks are a concern.
Path traversal vulnerabilities in firewall operating systems are particularly dangerous as they can expose internal service APIs and configuration files that are never intended to be user-accessible.
CVE-2026-0206 – Post-Authentication Stact Buffer Overflow
The third vulnerability, CVE-2026-0206, is a stack-based buffer overflow (CWE-121) with a CVSS score of 4.9. A remote authenticated attacker with high privileges can trigger this flaw over the network (AV:N) to crash the firewall entirely, resulting in a complete availability denial with A:H impact.
Prior advisories also documented similar CWE-121 flaws in the SSLVPN service that allowed remote, unauthenticated denial-of-service attacks. While the confidentiality and integrity impact of CVE-2026-0206 is rated None, a firewall crash in a production environment can expose an entire network perimeter during the downtime window.
| Field | Detail |
|---|---|
| Advisory ID | SNWLID-2026-0004 |
| Published | April 29, 2026 |
| CVEs | CVE-2026-0204, CVE-2026-0205, CVE-2026-0206 |
| Max CVSS v3 Score | 8.0 (High) |
| Workaround Available | Yes |
Affected Products and Versions
The advisory covers a wide range of SonicWall hardware across three hardware generations.
Gen6 Hardware Firewalls (SOHOW, TZ 300/400/500/600 series, NSA 2650–6650, SM 9200–9650, SOHO 250, TZ 350):
- Affected: 6.5.5.1-6n and older
- Fixed: 6.5.5.2-28n
Gen7 Firewalls & NSv (TZ270–TZ670, NSa 2700–6700, NSsp 10700–15700, NSv 270/470/870 on ESX, KVM, Hyper-V, AWS, Azure):
- Affected: 7.0.1-5169 and older / 7.3.1-7013 and older
- Fixed: 7.3.2-7010
Gen8 Firewalls (TZ80–TZ680, NSa 2800–5800):
- Affected: 8.1.0-8017 and older
- Fixed: 8.2.0-8009
Disable HTTP/HTTPS Management
Until firmware patches can be applied, Security team strongly recommends that administrators immediately disable HTTP/HTTPS-based firewall management and SSLVPN on all interfaces, and restrict management access to SSH only.
This is a critical interim mitigation that directly addresses the attack vector for CVE-2026-0204, which targets the management interface. Turning off publicly exposed management interfaces has consistently proven to be the most effective short-term control against SonicWall exploitation campaigns.
SonicWall has issued a strict downgrade warning for Gen6 devices: downgrading from version 6.5.5.2-28n to any prior firmware is not supported. It will result in the deletion of all LDAP users and a complete reset of all MFA settings. Administrators are strongly advised to take a full configuration backup before proceeding with the upgrade.
This mirrors warnings issued during previous SonicWall firmware cycles, where organizations experienced service disruptions following improperly managed rollback attempts.
With a CVSS score of 8.0 against the management interface and low attack complexity, every hour without patching extends the window for exploitation.
Network defenders should treat this advisory as an urgent priority, cross-reference firewall versions against the affected list, apply the appropriate firmware fix, and validate that the workaround is in place until patching is complete.
FAQ
Q1. What is the highest severity CVE in SNWLID-2026-0004?
CVE-2026-0204, rated CVSS 8.0 (High), is the most critical flaw, an improper access control vulnerability that can expose firewall management functions without authentication.
Q2. Which SonicWall firewall generations are affected?
Gen6, Gen7, and Gen8 SonicWall hardware firewalls, as well as NSv virtual appliances, are all affected by this advisory.
Q3. What is the official workaround before patching?
SonicWall PSIRT recommends immediately disabling HTTP/HTTPS management and SSL VPN on all interfaces, and restricting access to SSH only until firmware patches are applied.
Q4. Who discovered these SonicOS vulnerabilities?
The vulnerabilities were discovered and reported by the Advanced Research Team at CrowdStrike through responsible disclosure.
About the Author
