Description
A vulnerability in the access control mechanism of SonicOS may allow certain management interface functions to be accessible under specific conditions.
Published: 2026-04-29
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the access control mechanism of SonicOS, allowing certain management interface functions to be reachable when specific conditions apply. This could enable an attacker to perform privileged operations without proper authorization, compromising configuration integrity and potentially allowing further exploitation. The weakness is of type improper authorization and insecure default configuration, as reflected by CWE-1390 and CWE-306.

Affected Systems

SonicWall’s SonicOS firmware is affected. No specific product versions are listed in the advisory, so the vulnerability could be present across multiple releases until addressed. Organizations running SonicOS should verify the firmware version against SonicWall’s security advisory.

Risk and Exploitability

The advisory provides a CVSS score of 8, indicating a high severity vulnerability. The EPSS estimate is not available, and the flaw is not listed in CISA’s KEV catalog, suggesting no widespread exploitation is documented to date. The likely attack surface is the management interface exposed over the network, which could be accessed by internal or potentially external actors if the interface is reachable. Without a documented exploitation method, the risk appears moderate, yet the flaw permits unauthorized use of management functions, presenting a significant potential impact if exploited. Organizations should consider this a medium to high risk until a patch is applied.

Generated by OpenCVE AI on April 29, 2026 at 21:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest SonicOS firmware update that resolves the access control flaw
  • Restrict management interface access to trusted networks or VPN, blocking public or untrusted IP ranges
  • Disable or limit unused management services and enforce strict role‑based permissions
  • Enable detailed logging for management interface activity and monitor for anomalous access attempts

Generated by OpenCVE AI on April 29, 2026 at 21:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Title Access Control Bypass in SonicOS Management Functions

Wed, 29 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Sonicwall
Sonicwall sonicos
Vendors & Products Sonicwall
Sonicwall sonicos

Wed, 29 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description A vulnerability in the access control mechanism of SonicOS may allow certain management interface functions to be accessible under specific conditions.
Weaknesses CWE-1390
CWE-306
References

Subscriptions

Sonicwall Sonicos
cve-icon MITRE

Status: PUBLISHED

Assigner: sonicwall

Published:

Updated: 2026-04-30T03:55:59.264Z

Reserved: 2025-10-30T10:54:03.249Z

Link: CVE-2026-0204

cve-icon Vulnrichment

Updated: 2026-04-29T16:52:48.471Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-29T17:16:40.307

Modified: 2026-04-30T15:11:12.703

Link: CVE-2026-0204

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T21:30:20Z

Weaknesses