Skip to content
Threat Feed
medium advisory

Multiple Vulnerabilities in SonicWall Products Allow for DoS and Security Policy Bypass

Multiple vulnerabilities in SonicWall firewalls could allow an attacker to cause a remote denial of service and security policy bypass, potentially disrupting network services and compromising security controls.

On April 30, 2026, CERT-FR published an advisory regarding multiple vulnerabilities affecting various SonicWall firewall products. These vulnerabilities, detailed in SonicWall security bulletin SNWLID-2026-0004, could allow an unauthenticated remote attacker to trigger a denial-of-service condition or bypass security policies. The affected products include a wide range of SonicWall firewalls across multiple generations (Gen 6, Gen 7, and Gen 8), as well as NSv virtual firewalls deployed in ESX, KVM, Hyper-V, AWS, and Azure environments. Successful exploitation of these vulnerabilities could lead to significant disruption of network services and a compromise of security controls.

Attack Chain

  1. The attacker identifies a vulnerable SonicWall firewall exposed to the internet.
  2. The attacker sends a specially crafted network packet to the firewall. This packet exploits one of the vulnerabilities (CVE-2026-0204, CVE-2026-0205, or CVE-2026-0206).
  3. If the attacker exploits a DoS vulnerability, the firewall’s CPU and memory resources are consumed, leading to a denial-of-service condition.
  4. Legitimate network traffic is disrupted due to the firewall’s degraded performance or complete failure.
  5. If the attacker exploits a security policy bypass vulnerability, they can potentially gain unauthorized access to internal network resources.
  6. The attacker may then attempt to move laterally within the network, exploiting additional vulnerabilities in other systems.

Impact

Successful exploitation of these vulnerabilities could lead to a complete denial of service, disrupting network connectivity for affected organizations. A security policy bypass could also allow unauthorized access to sensitive internal resources. The number of potential victims is significant, given the widespread use of SonicWall firewalls across various industries.

Recommendation

  • Apply the patches outlined in SonicWall security bulletin SNWLID-2026-0004 to all affected SonicWall firewalls immediately.
  • Monitor network traffic for suspicious activity targeting SonicWall firewalls.
  • Deploy the Sigma rules below to your SIEM to detect potential exploitation attempts in your environment.
  • Review and enforce strict network segmentation policies to limit the impact of a potential security policy bypass.

Detection coverage 2

Detect Traffic to Potentially Vulnerable SonicWall Devices

low

Detects network traffic directed towards SonicWall devices, which may indicate reconnaissance or exploitation attempts targeting the vulnerabilities described in CERTFR-2026-AVI-0517.

sigma tactics: reconnaissance techniques: T1595 sources: network_connection, zeek

Detect Security Policy Bypass Attempt

high

Detects potential attempts to bypass security policies on SonicWall devices by monitoring specific network traffic patterns.

sigma tactics: defense_evasion techniques: T1078 sources: network_connection, sonicwall

Detection queries are kept inside the platform. Get full rules →