SonicWall Firewall Vulnerabilities Addressed in Security Advisory AV26-405

On April 29, 2026, SonicWall published security advisory AV26-405 to address multiple vulnerabilities affecting their Gen6, Gen7, and Gen8 series firewalls, as well as SonicOS. The advisory specifically calls out firmware versions 6.5.5.1-6n and prior for Gen6 Hardware Firewalls, versions 7.0.1-5169 and prior, and 7.3.1-7013 and prior for Gen7 NSv and Firewalls, and version 8.1.0-8017 and prior for Gen8 Firewalls. Defenders should promptly review the associated SonicWall PSIRT advisory and apply the recommended updates to prevent potential exploitation. The vulnerabilities could allow attackers to gain unauthorized access, execute arbitrary code, or cause denial-of-service conditions on affected devices.

Attack Chain

While the advisory does not detail specific exploitation steps, a typical attack chain exploiting firewall vulnerabilities could include the following:

1. Reconnaissance: Attackers identify SonicWall firewalls running vulnerable firmware versions exposed to the internet via network scanning.
2. Vulnerability Exploitation: Attackers exploit one of the vulnerabilities, potentially using a crafted network packet or web request, to gain an initial foothold on the firewall.
3. Privilege Escalation: If the initial exploit doesn’t provide sufficient privileges, attackers attempt to escalate privileges within the firewall’s operating system.
4. Configuration Access: Attackers access the firewall’s configuration files to gather sensitive information, such as VPN credentials or network topology details.
5. Lateral Movement: Using the gathered information, attackers move laterally within the internal network, targeting other systems and resources.
6. Data Exfiltration: Attackers exfiltrate sensitive data from the compromised network through the firewall.
7. Persistence: Attackers establish persistent access to the firewall, allowing them to maintain control even after the initial vulnerability is patched.
8. Disruption / Ransomware: As a final step, attackers may deploy ransomware on the internal network or disrupt network services by manipulating the firewall configuration.

Impact

Successful exploitation of these vulnerabilities could allow attackers to gain unauthorized access to internal networks, steal sensitive data, disrupt network services, and potentially deploy ransomware. The impact could range from minor data breaches to complete network compromise, depending on the attacker’s objectives and the organization’s security posture. Given the widespread use of SonicWall firewalls, a successful widespread campaign could affect numerous organizations across various sectors.

Recommendation

• Immediately apply the recommended firmware updates for Gen6, Gen7, and Gen8 firewalls as outlined in the SonicWall security advisory (https://psirt.global.sonicwall.com/vuln-list).
• Monitor network traffic for suspicious activity originating from or directed towards SonicWall firewalls using the provided Sigma rules.
• Implement strict access control policies to limit access to the firewall’s management interface.
• Enable logging on the SonicWall firewall and forward logs to a SIEM for analysis and alerting.