This document describes a vulnerability identified by Bishop Fox staff in SonicWall SonicOS 7.1.x and 8.0.x.

Product Vendor

SonicWall

Product Description

SonicOS is the operating system that runs on SonicWall next-generation firewalls. The vendor’s official website is https://www.sonicwall.com/products/firewalls. The latest versions of the operating system are 7.2.0-7015 and 8.0.1-8017, released on April 23, 2025.

Vulnerabilities List

Bishop Fox identified a denial-of-service vulnerability in the SonicOS SSL VPN interface. This vulnerability is described in the following sections.

Affected Versions

Versions 7.1.2-7019, 7.1.3-7015, 8.0.0-8035, and 8.0.0-8037

Summary of Findings

Bishop Fox staff identified a vulnerability in SonicWall SonicOS 7.1.x and 8.0.x that allowed them to cause an affected NSv virtual appliance to reboot by sending unauthenticated requests to specific API endpoints, resulting in a denial-of-service condition. The vulnerability is present in the SSL VPN service, which is typically exposed to the internet by SonicWall customers who use this feature.

Impact

By repeating the attack, an attacker can cause an affected firewall to crash and reboot whenever a user connects to the SSL VPN, thereby preventing use of the SSL VPN service.

Solution

Update to version 7.2.0 or 8.0.1 or disable the SSL VPN service.

Denial of service

Denial of service (DoS) occurs when an attacker prevents authorized users from accessing a resource. This type of attack arises in three ways. First, it can occur when the transmission medium is disrupted between the user and the resource, leaving no path for communication. Second, the target system may be coaxed to reset, often repeatedly, which forces any established connections to reset as well. Third, the target resource may be fooled into consuming all available computing resources, thereby leaving no available resources to handle legitimate requests.

Vulnerability Details

CVE ID: CVE-2025-32818

Vulnerability Type: Null pointer dereference

Access Vector: ​☒​ Remote, ​☐​ Local, ​☐​ Physical, ​☐​ Context dependent, ​☐​ Other (if other, please specify)

Impact: ​☐​ Code execution, ​☒​ Denial of service, ​☐​ Escalation of privileges, ​☐​ Information disclosure, ​☐​ Other (if other, please specify)

Security Risk: ​☐​ Critical, ​☒​ High, ​☐​ Medium, ​☐​ Low

Vulnerability: CWE-703: Improper Check or Handling of Exceptional Conditions

Bishop Fox staff found that the SSL VPN web servers in SonicOS 7.1.x and 8.0.x are vulnerable to a remote, unauthenticated denial of service via an HTTP POST request to two URIs that are typically exposed to the internet on devices where the SSL VPN feature is in use.

If there is at least one active SSL VPN session, sending a specially crafted request to either endpoint will cause a segmentation fault (when the software attempts to access an invalid memory address) in the sonicosv process. The root cause is a null pointer dereference in a strncmp function.

The segmentation fault causes the appliance to reboot, making the service unavailable for several minutes. An attacker could cause a lengthier outage by sending the same request every few minutes. 

Bishop Fox staff validated the vulnerability against SonicOS 7.1.2-7019 and 7.1.3-7015 running on a virtual SonicWall NSv appliance. SonicWall confirmed that physical appliances running these SonicOS versions, as well as 8.0.0-8035 and 8.0.0-8037, are similarly vulnerable.

Credits

• Jon Williams, Sr. Security Engineer, Bishop Fox ([email protected])

Timeline

• 01/16/2025: Initial discovery

• 01/24/2025: Submitted report to vendor

• 01/27/2025: Exchanged clarifying information

• 01/28/2025: Vendor assigned PSIRT ID

• 02/10/2025: Vendor confirmed submission validity

• 04/15/2025: Requested status update

• 04/16/2025: Vendor assigned CVE-2025-32818 and CVSS severity 6.5

• 04/17/2025: Requested re-evaluation of severity score

• 04/21/2025: Vendor assigned CVSS severity 7.5

• 04/23/2025: Vendor released updates and published advisory