SonicWall Released Hotfix for Critical SQL Injection Flaw
Which SonicWall Products Are Affected?
9.3.1-SP2-Hotfix1 and earlier versions
188.8.131.52-2520 and earlier versions
How Vulnerability Affects?
The vulnerability, identified as CVE-2022-22280, has a severity score of 9.4 on the CVSS scoring system and is caused by what SonicWall defines as improper neutralization of special elements used in an SQL command might result in an unauthenticated SQL injection. An attacker can create a special request to send it to the compromised application, then run arbitrary SQL commands inside the application database.
When this vulnerability is exploited, the attacker gains complete control of the compromised application, meaning they gain the ability to read, delete and modify data in the database.
How to Fix the Vulnerability?
There isn’t a workaround for this vulnerability before the update. However, the potential exploitation can be decreased using a WAF (Web Application Firewall).
According to the advisory, there have been no published proof-of-concept (PoC) reports, and SonicWall has not received any reports of malicious usage of this issue.
SonicWall has made deployment instructions available to assist enterprises in updating GMS implementations.