Severity by source
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
Improper handling of Unicode encoding in SonicWall SMA1000 series appliances allows a remote authenticated SSLVPN admin to bypass AMC TOTP authentication.
AnalysisAI
Remote authenticated SonicWall SMA1000 SSLVPN administrators can bypass AMC TOTP (Time-based One-Time Password) authentication via improper handling of Unicode encoding, allowing high-privileged attackers to achieve authentication bypass on affected appliances. CVSS 6.6 reflects high-privileged requirement (PR:H) and high attack complexity (AC:H), limiting real-world exploitation despite total technical impact. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The vulnerability requires SPECIFIC AND LIMITING conditions: (1) attacker must already possess valid SMA1000 SSLVPN admin credentials (username and password); (2) AMC TOTP authentication must be enabled on the target appliance (non-default but common in security-conscious deployments); (3) attacker must understand and craft valid Unicode encoding variations that exploit the specific parsing discrepancy in the affected versions (requires specialized knowledge, not automatable via generic payload lists). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Risk assessment reveals tension between CVSS severity and real-world exploitation probability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained or socially engineered valid SMA1000 SSLVPN admin credentials (username and password) attempts to bypass the TOTP second-factor authentication. Instead of supplying a legitimate TOTP token derived from the admin's authenticator app, the attacker crafts a Unicode-encoded payload (e.g., using homoglyphs, combining characters, or canonical form variations of digits) that is accepted by the authentication handler's Unicode parser but rejected by the TOTP validation algorithm's different encoding interpretation. … |
| Remediation | Apply the vendor-released security patch immediately to update SMA1000 appliances beyond versions 12.5.0-02283 and 12.4.3-03245 respectively (exact patched versions referenced in SonicWall advisory SNWLID-2026-0003 at https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2026-0003). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
An improper privilege management vulnerability in the SonicWall NetExtender Windows (32 and 64 bit) client allows a low
SQL injection in SonicWall SMA1000 series appliances allows authenticated attackers with read-only administrator privile
An Improper Link Resolution Before File Access ('Link Following') vulnerability in SonicWall NetExtender Windows (32 and
A local privilege escalation vulnerability in SonicWall NetExtender Windows (32 and 64 bit) client which allows an attac
SonicWall SMA1000 SSL VPN appliances allow remote authenticated administrators to enumerate valid user credentials throu
Two-factor authentication bypass in SonicWall SMA1000 SSL-VPN allows remote attackers with valid SSLVPN credentials to c
A Improper Link Resolution vulnerability (CWE-59) in the SonicWall Connect Tunnel Windows (32 and 64 bit) client, this r
Stored Cross-Site Scripting (XSS) in SonicWall Email Security allows authenticated admin users to inject and execute arb
Database corruption in SonicWall Email Security appliance via improper input sanitization allows authenticated admin use
SonicWall Email Security appliance becomes unresponsive due to improper input validation when an authenticated administr
Download of Code Without Integrity Check Vulnerability in the SonicWall Email Security appliance loads root filesystem i
SSL-VPN MFA Bypass in SonicWALL SSL-VPN can arise in specific cases due to the separate handling of UPN (User Principal
Same weakness CWE-176 – Improper Handling of Unicode Encoding
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20906
GHSA-q2cw-g735-jvcc