Multiple SonicWall vulnerabilities enable SQL injection and privilege escalation attacks
4 min. read 
Published on
SonicWall has disclosed four vulnerabilities in its Secure Mobile Access 1000 series appliances that can lead to SQL injection, credential enumeration, and multi-factor authentication bypass. The issues affect SMA 1000 devices including SMA 6210, SMA 7210, SMA 8200v, and Central Management Server, and SonicWall says customers should upgrade as soon as possible.
The most serious flaw is CVE-2026-4112, which SonicWall rates 7.2 out of 10. According to the advisory, a remote authenticated attacker with read-only access can exploit an improper neutralization issue to perform SQL injection and escalate privileges to primary administrator.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The other three bugs are less severe on paper but still important in practice. CVE-2026-4113 can let an unauthenticated remote attacker enumerate SSL VPN user credentials through observable response differences, while CVE-2026-4114 and CVE-2026-4116 can let authenticated users bypass TOTP protections in AMC and Workplace or Connect Tunnel workflows because of Unicode handling flaws.
What SonicWall says is affected
SonicWall says the affected versions are 12.4.3-03245 and earlier, and 12.5.0-02283 and earlier, both identified as platform-hotfix builds. The company also says these issues do not affect SSL VPN features on standard SonicWall firewall products.
For fixes, the official PSIRT advisory lists 12.4.3-03387 and higher, and 12.5.0-02624 and higher, as the corrected versions users should move to. A SonicWall product notice circulated around the same advisory initially referenced earlier March hotfix builds, but community discussion and the PSIRT page point to 12.4.3-03387 and 12.5.0-02624 as the current fixed releases.
SonicWall also says there is currently no evidence that these four vulnerabilities are being exploited in the wild. Even so, the company is urging customers on older firmware to follow PSIRT guidance and upgrade promptly.
Why these flaws matter
SMA 1000 appliances sit in a sensitive position because they act as secure access gateways for remote connectivity. If an attacker can escalate privileges on one of these systems, bypass TOTP, or enumerate valid user credentials, that can weaken an organization’s remote access controls and increase the risk of deeper compromise. This is an inference based on the appliance role and the exploit impacts SonicWall describes.
CVE-2026-4112 stands out because it combines SQL injection with privilege escalation. A bug like that can turn a limited authenticated foothold into full administrative control over the appliance, which is why it received the highest score in this batch.
The MFA bypass bugs matter for a different reason. Even though they require authenticated access, they target a layer many organizations rely on to reduce account abuse. If TOTP checks fail, a stolen or lower-level account may become much more useful to an attacker.
SonicWall SMA 1000 vulnerabilities at a glance
| CVE | Severity | Main impact | Authentication needed |
|---|---|---|---|
| CVE-2026-4112 | 7.2 High | SQL injection and privilege escalation to primary admin | Yes |
| CVE-2026-4113 | 5.3 Medium | SSL VPN user credential enumeration | No |
| CVE-2026-4114 | 6.6 Medium | AMC TOTP bypass | Yes |
| CVE-2026-4116 | 6.0 Medium | Workplace or Connect Tunnel TOTP bypass | Yes |
What admins should do now
- Upgrade SMA 1000 appliances to 12.4.3-03387 or later, or 12.5.0-02624 or later, depending on your branch.
- Do not rely on a workaround. SonicWall’s advisory does not list any workaround or mitigation other than applying the hotfix.
- Prioritize externally reachable SMA 1000 systems, especially those that expose administrative or SSL VPN services. This is a practical inference from the advisory’s remote attack scenarios.
- Review logs and authentication activity for unusual login behavior, failed TOTP patterns, or signs of account discovery. This follows from the credential enumeration and MFA bypass impacts SonicWall documented.
- Download updates from the MySonicWall portal or SonicWall support channels referenced in the vendor notice.
FAQ
SonicWall says the flaws affect SMA 1000 series appliances, including SMA 6210, SMA 7210, SMA 8200v, and Central Management Server.
No. SonicWall says these vulnerabilities do not impact SSL VPN features running on standard SonicWall firewall products.
SonicWall says there is no evidence at this time that these four issues are being exploited in the wild.
SonicWall’s advisory does not provide a workaround or alternative mitigation. The vendor guidance is to install the fixed hotfix versions.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages