CVE-2026-4116 - Vulnerability Details

Description

Improper handling of Unicode encoding in SonicWall SMA1000 series appliances allows a remote authenticated SSLVPN user to bypass Workplace/Connect Tunnel TOTP authentication.

Published: 2026-04-09

Score: 7.2 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Improper handling of Unicode encoding in SonicWall SMA1000 series appliances enables a remote authenticated SSLVPN user to bypass Workplace/Connect Tunnel TOTP authentication. This bug can allow an attacker who is already authenticated to substitute a malformed Unicode character and cause the system to skip the one‑time password challenge, granting unauthorized access and potentially exposing protected data. The weakness corresponds to CWE‑176 (Improper Encoding), and it directly undermines the confidentiality and integrity of user sessions.

Affected Systems

The vulnerability affects all SonicWall SMA1000 appliances. No specific firmware versions are listed, so all current releases of the SMA1000 series should be considered at risk until a patch is applied.

Risk and Exploitability

The CVSS score of 7.2 indicates high severity, while an EPSS value below 1 % signals a low probability of widespread exploitation. The vulnerability is not yet listed in the CISA KEV catalog. The attack requires a malicious Unicode input designed to exploit the encoding flaw, and the attacker must already be authenticated via SSLVPN. Because the flaw directly bypasses the TOTP challenge, exploitation could lead to full session takeover if troubleshooting or administrative privileges are granted. The likely attack vector is remote authenticated—an attacker who can log into the SSLVPN can send the crafted Unicode payload and bypass the two‑factor step.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SonicWall

SMA1000

unknown

Version	Status	Constraints
`12.4.3-03245 (platform-hotfix) and earlier versions.`	affected	—
`12.5.0-02283 (platform-hotfix) and earlier versions.`	affected	—

No data.

Vendor Product Confidence Versions

Sonicwall

Sma1000

100%

Version	Status	Scheme	Platform
`[0,12.4.3-03245]`	affected	semver	['linux']
`[0,12.5.0-02283]`	affected	semver	['linux']

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Check the SonicWall PSIRT portal for the latest firmware update that addresses Unicode handling in the SMA1000 series and apply the patch as soon as it is available.
Verify after upgrading that Workplace/Connect Tunnel TOTP authentication behaves correctly by attempting a test login with a valid OTP.
Monitor SSLVPN logs for anomalous login attempts that lack OTP confirmation, and investigate any instances where authentication succeeds without the expected TOTP prompt.
If an update is not yet available, temporarily disable TOTP enforcement for SSLVPN sessions or restrict access to the appliance until the vendor releases a remediation.

Generated by OpenCVE AI on April 13, 2026 at 21:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00109.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2026-0003

History

Tue, 14 Apr 2026 16:45:00 +0000

Type	Values Removed	Values Added
Title	Bypass of TOTP Authentication via Unicode Exploit in SonicWall SMA1000 SSLVPN

Mon, 13 Apr 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 10 Apr 2026 10:00:00 +0000

Type	Values Removed	Values Added
Title		Bypass of TOTP Authentication via Unicode Exploit in SonicWall SMA1000 SSLVPN

Fri, 10 Apr 2026 09:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sonicwall Sonicwall sma1000
Vendors & Products		Sonicwall Sonicwall sma1000

Thu, 09 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description		Improper handling of Unicode encoding in SonicWall SMA1000 series appliances allows a remote authenticated SSLVPN user to bypass Workplace/Connect Tunnel TOTP authentication.
Weaknesses		CWE-176
References		https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2026-0003

Subscriptions

Sonicwall Sma1000

MITRE

Status: PUBLISHED

Assigner: sonicwall

Published: 2026-04-09T14:27:29.341Z

Updated: 2026-04-13T18:26:18.229Z

Reserved: 2026-03-13T12:13:43.715Z

Link: CVE-2026-4116

Vulnrichment

Updated: 2026-04-13T18:26:07.744Z

NVD

Status : Awaiting Analysis

Published: 2026-04-09T15:16:14.010

Modified: 2026-04-13T19:16:52.710

Link: CVE-2026-4116

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-14T16:36:56Z

Weaknesses

CWE-176

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object