SonicWall next-generation firewall (NGFW) devices [2] [3] [6] [7] [8], specifically series 6 and 7, have been found to have exposed online management interfaces, posing a significant security risk [7]. These devices are vulnerable to denial-of-service (DoS) attacks and potential remote code execution (RCE) [1] [2] [7].


Two DoS security flaws [2] [7], known as CVE-2022-22274 and CVE-2023-0656 [2] [3] [6] [7] [8], have been identified as the main vulnerabilities [7]. Research conducted by Bishop Fox and WatchTowr Labs revealed that over 178,000 SonicWall firewalls with exposed management interfaces are vulnerable to these issues. They found that 76% of the devices were vulnerable to at least one of the bugs [1], while 62% were vulnerable to both [1].

The impact of a widespread DoS attack could be severe [1] [8], as the devices require administrative action to restore normal functionality after three crashes [1]. While remote code execution is possible [1], it is currently considered unlikely due to the challenges involved in exploiting the vulnerabilities [1].

To mitigate the risk of a DoS attack [6], network administrators are urged to check for vulnerable devices and update to the latest firmware [6], which provides protection against both vulnerabilities. It is also recommended to ensure that the management interface is not exposed to the internet to further mitigate these threats [5]. This is particularly important considering SonicWall’s large customer base, which includes government agencies and global enterprises [7].

The vulnerabilities were discovered by Bishop Fox security experts, and exploitation is possible if attackers know the firmware running on the SonicWall firewall [4]. However, a patch is already available to address these vulnerabilities, making it crucial for network administrators to promptly update their devices.


SonicWall NGFW appliances’ management interfaces should not be exposed online [2], and upgrading to the latest firmware versions is advised to protect against the vulnerabilities. The vulnerabilities, tracked as CVE-2022-22274 and CVE-2023-0656 [3] [6] [7] [8], have not been exploited in the wild [3], but a proof-of-concept exploit for CVE-2023-0656 has been publicly released [3] [8].

The impact of a large-scale attack could be severe [1] [3] [8], as the SonicOS restarts after a crash but requires administrative action after three crashes in a short period of time [3]. The latest firmware update protects against both vulnerabilities [3] [6] [8], and administrators are advised to remove the web management interface from public access and upgrade to the latest available version [3].

While a denial of service is currently possible [3], remote code execution would require additional research and overcoming challenges such as PIE [3], ASLR [3], and stack canaries [3]. The likelihood of attackers leveraging RCE is still low due to the difficulty of determining the firmware and hardware versions of a target SonicWall firewall remotely [3].