SonicWall SNWLID‑2026‑0004 – Vulnerability Threat Report 

Classification: TLP:WHITE – Unrestricted Distribution 
Report Generated: 2026‑04‑29 11:40 MST | Source(s): NVD (CVE‑2026‑0204, CVE‑2026‑0205, CVE‑2026‑0206) • SonicWall PSIRT SNWLID‑2026‑0004 

Advisory Overview 

Advisory ID	SNWLID‑2026‑0004
First Published	2026‑04‑29
Last Updated	2026‑04‑29
Status	Applicable (patches available)
Workaround Available	Yes
CVE(s)	CVE‑2026‑0204, CVE‑2026‑0205, CVE‑2026‑0206
CWE(s)	CWE‑1390 (Weak Authentication), CWE‑35 (Path Traversal), CWE‑121 (Stack‑Based Buffer Overflow)
Overall CVSS v3	8.0 (vector AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) – reflects the highest‑severity finding (CVE‑2026‑0204).
Direct Link	https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2026-0004

Threat Alert 

SNWLID‑2026‑0004 aggregates three newly disclosed vulnerabilities in SonicWall SonicOS firewalls. The flaws enable unauthenticated management‑interface access, path traversal to restricted services, and a stack‑based buffer overflow that can crash the appliance. Exploitation requires minimal skill; CVE‑2026‑0204 scores HIGH (8.0) while the other two score MEDIUM. Although no public exploits are known, the low attack complexity makes these issues attractive to opportunistic attackers and more sophisticated threat actors alike. 

Executive Summary 

Three distinct vulnerabilities affect all SonicWall Gen 6‑Gen 8 firewalls (hardware and virtual appliances) that have not yet been patched: 

Patches have already been released for all affected platforms. Immediate remediation is required.  

An attacker who gains admin control can modify firewall policies, exfiltrate credentials, or render the perimeter device unavailable. 

Business impact: Full admin takeover (CVE‑0204) can alter firewall policies, open backdoors, or exfiltrate secrets. Path traversal (CVE‑0205) may expose configuration files and certificates. Buffer overflow (CVE‑0206) can cause service outages, affecting the availability of perimeter defenses. 

Vulnerability Details 

CVE	Primary Impact	CVSS Base (CISA‑ADP)	CWE(s)
CVE‑2026‑0204	Unauthenticated management‑interface functions become reachable then full device compromise.	8.0 HIGH AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	CWE‑306 (Missing Authentication), CWE‑1390 (Weak Authentication)
CVE‑2026‑0205	Authenticated path traversal (../) to internal services then data leakage / further foothold.	6.8 MEDIUM – AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H	CWE‑35 (Path Traversal)
CVE‑2026‑0206	Stack‑based buffer overflow in a post‑auth routine then denial‑of‑service crash.	4.9 MEDIUM – AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H	CWE‑121 (Stack‑Based Buffer Overflow)

Technical Analysis 

Root Causes 

CVE	Root Cause
0204	Missing or improperly enforced access‑control checks on management UI endpoints.
0205	Insufficient sanitisation of file‑path parameters, allowing ../ traversal to bypass directory restrictions.
0206	Bounds‑checking omission in a packet‑parsing routine, leading to stack corruption and process termination.

Attack Surface & Exploitation Mechanisms 

1. CVE‑2026‑0204 – Unauthenticated Management Access 
   Attacker sends crafted HTTP/HTTPS request to a management endpoint (e.g., /admin/config) from any adjacent network segment. The firewall processes the request without authentication, granting full admin rights. 

2. CVE‑2026‑0205 – Path Traversal 
   Authenticated attacker invokes a file‑download or API call with a payload such as ../../etc/passwd (or URL‑encoded %2e%2e%2f). The server fails to canonicalise the path, exposing internal files or services. 

3. CVE‑2026‑0206 – Stack Buffer Overflow 
   Remote attacker sends a specially crafted packet to a post‑auth service (e.g., SSL‑VPN). The packet overflows a fixed‑size buffer on the stack, causing an immediate crash and denial of service. 

Exploit Chain Diagram 

Exploit Maturity 

No public exploit code is currently available. However, the low attack complexity and high impact of CVE‑2026‑0204 make it a prime candidate for rapid weaponization. The advisory’s “Applicable” status indicates that patches are already released, underscoring the urgency to apply them before any exploit emerges. 

Affected Systems & Versions 

Generation	Platform (Hardware / Virtual)
Gen 6	SOHO‑W, TZ 300/300W/400/400W/500/500W/600, NSA 2650/3600/3650/4600/4650/5600/5650/6600/6650, SM 9200/9250/9400/9450/9600/9650, TZ 300P/TZ 600P, SOHO 250/250W, TZ 350/350W
Gen 7 – NSv	NSv 270, NSv 470, NSv 870 (ESX/KVM/HYPER‑V/AWS/Azure)
Gen 7 – Firewalls	TZ 270/270W, TZ 370/370W, TZ 470/470W, TZ 570/570W, TZ 570P, TZ 670, NSa 2700/3700/4700/5700/6700, NSsp 10700/11700/13700/15700
Gen 8	TZ 80/280/380/480/580/680, NSa 2800/3800/4800/5800

Note: The Fixed Software list in the advisory mirrors the above platforms – patches have been released for every model shown. 

Workaround / Mitigation 

Until firmware updates can be applied, SonicWall PSIRT recommends the following hardening steps: 

1. Disable HTTP/HTTPS‑based firewall management on all interfaces. 

2. Disable SSL‑VPN services on all interfaces. 

3. Restrict management access to SSH only, and limit SSH source IPs to trusted networks (e.g., VPN subnet). 

These actions eliminate the attack vectors used by CVE‑2026‑0204 and CVE‑2026‑0205, while also reducing exposure for the buffer‑overflow bug. 

Patch Information 

• Fixed Firmware – The vendor has released patches for every platform listed in Affected Platforms. Administrators should upgrade to the latest SonicOS release (e.g., version 6.5.5.2‑28n or later for Gen 6; corresponding versions for Gen 7/8). 

• Verification – After upgrading, confirm the firmware version via the CLI (show version) and ensure that the patch level matches the “Fixed Platforms” list in the advisory. 

Additional Comments (Gen 6 Downgrade Warning) 

• Downgrading a Gen 6 appliance from 6.5.5.2‑28n to any earlier firmware is not supported. 
• The downgrade can delete all LDAP users and reset MFA settings. 
• If a rollback is ever required, administrators must manually re‑create LDAP accounts and re‑configure MFA after the downgrade. 
• A full configuration backup before upgrading is strongly recommended. 

Threat Context & Real‑World Risk 

Actor Type	Motivation	Likelihood
Commodity attackers / script kiddies	Ransomware, botnet recruitment	High – low barrier to exploit.
Organised crime	Steal credentials, sell access to critical infrastructure	Medium – will combine with credential‑theft tools.
APT groups	Long‑term espionage on high‑value networks	Low‑Medium – requires development of a custom exploit for CVE‑0204.

Priority Rating 

Overall Severity	Recommended Action
HIGH (driven by CVE‑2026‑0204)	Patch within 72 hours; treat as emergency.
MEDIUM (CVE‑2026‑0205, ‑0206)	Patch within 7 days; apply workaround immediately if patching is delayed.

Indicators of Compromise (IoCs) 

Network Indicators 

Type	Indicator	Context
URL pattern	/admin/* accessed from non‑trusted IPs	Possible CVE‑0204 exploitation.
Path traversal payload	../..//, %2e%2e%2f in query strings (e.g., /download?file=../../etc/passwd)	CVE‑0205 attempts.
Malformed packets	High‑frequency small TCP segments to management ports causing abrupt resets	CVE‑0206 DoS attempts.

Host Indicators 

Indicator	Description
Process crash / restart of sonicOS service	Buffer overflow trigger (CVE‑0206).
New admin sessions without prior authentication logs	Bypass of access control (CVE‑0204).
Unexpected file reads from /etc/ or other privileged locations via the firewall UI/API	Path traversal activity.

Detection Signature (Sigma/yaml) 

title: SonicWall SNWLID-2026-0004 Exploitation Attempt 
id: 8f2c1d3e-7a9b-41c5-b0ef-9c6d5fa2b8a1 
status: experimental 
description: Detects suspicious management‑UI calls, path‑traversal payloads, or crash‑inducing packets targeting SonicWall firewalls (SNWLID‑2026‑0004). 
author: Automated Threat Intel Engine 
date: 2026-04-30 
logsource: 
  product: sonicwall 
  service: firewall 
detection: 
  auth_bypass: 
    EventID: 1001          # example ID for admin UI access 
    Message|contains: ‘/admin/’ 
    SrcIP|not_in: 
      – 10.0.0.0/8 
      – 192.168.0.0/16 
  path_traversal: 
    EventID: 1012 
    Message|contains: ‘../’ 
  buffer_overflow: 
    EventID: 1025 
    Message|contains: ‘stack overflow’   # typical crash log entry 
  condition: 1 of auth_bypass, path_traversal, buffer_overflow 
falsepositives: 
  – Legitimate remote management from approved IP ranges. 
level: high 

References & Further Reading 

Resource	Description
NVD – CVE‑2026‑0204	https://nvd.nist.gov/vuln/detail/CVE-2026-0204
NVD – CVE‑2026‑0205	https://nvd.nist.gov/vuln/detail/CVE-2026-0205
NVD – CVE‑2026‑0206	https://nvd.nist.gov/vuln/detail/CVE-2026-0206
SonicWall PSIRT Advisory (SNWLID‑2026‑0004)	https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2026-0004
Official SonicWall Firmware Update Notice	https://www.sonicwall.com/support/notices/security-advisory-firmware-update-required-gen-6-gen-7-and-gen-8-firewalls/
CWE‑1390 – Weak Authentication	https://cwe.mitre.org/data/definitions/1390.html
CWE‑35 – Path Traversal	https://cwe.mitre.org/data/definitions/35.html
CWE‑121 – Stack‑Based Buffer Overflow	https://cwe.mitre.org/data/definitions/121.html

Report generated by Dataprise, Dallas Myers | 04/29/2026 11:40 MST | Classification: TLP:WHITE