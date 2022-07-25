The SQL injection vulnerability affects SonicWall’s Analytics and Global Management System solutions.

The vulnerability which has a CVSS score of 9.4, is now patched and users are warned to apply the patch as soon as possible.

SonicWall stated that there are no known workarounds for the vulnerability but using a WAF can reduce the risk for the users.

Network security company SonicWall announced the release of a patch that addresses a critical vulnerability, tracked as CVE-2022-22280. The vulnerability has a CVSS score of 9.4. When exploited, the vulnerability allows an attacker to make SQL injection attacks. The company stated that “improper neutralization of special elements” in SQL commands could lead to exploitation of the vulnerability.

No workaround

SonicWall stated that there are no known workarounds for the vulnerability, however, the risk can be reduced with a WAF to block attempts. The company urged users to upgrade Analytics 2.5.0.3-2520-Hotfix1 and GMS 9.3.1-SP2-Hotfix-2 as soon as possible. Affected versions are:

Analytics 2.5.0.3-2520 and earlier

GMS 9.3.1-SP2-Hotfix-1 and earlier

SonicWall also stated that there is no active exploitation in the wild currently, no reports of a proof of concept have been made public, and no reports have been submitted about the malicious use of this vulnerability. H4lo and Catalpa of DBappSecurity HAT Lab are credited for finding and reporting the vulnerability.