July 25, 2022

SonicWall Patches a Critical SQL Injection Vulnerability

A critical SQL injection (SQLi) vulnerability affecting Analytics On-Premise and Global Management System (GMS) products has been patched by SonicWall.

The Vulnerability

• CVE-2022-22280 (CVSS 3.0: 9.4, Critical) – Allows SQL injection due to improper neutralization of special elements used in an SQL Command.
  The vulnerability has a low attack complexity and may be exploited from the network without user interaction or authentication.

Affected Products

• SonicWall GMS: 9.3.1-SP2-Hotfix1 and earlier versions.
• SonicWall Analytics: 2.5.0.3-2520 and earlier versions.

Mitigation

CYREBRO recommends updating the vulnerable products to the fixed versions:

• Analytics 2.5.0.3-2520-Hotfix1
• GMS 9.3.1-SP2-Hotfix-2

References: SonicWall advisory.