Skip to main content

Sonicwall CVE-2026-4116

| EUVDEUVD-2026-20908 HIGH
Improper Handling of Unicode Encoding (CWE-176)
2026-04-09 sonicwall GHSA-98v3-fwpf-r4w2
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:29 vuln.today
CVSS changed
Apr 13, 2026 - 19:37 NVD
7.2 (HIGH)
EUVD ID Assigned
Apr 09, 2026 - 15:00 euvd
EUVD-2026-20908
CVE Published
Apr 09, 2026 - 14:27 nvd
N/A

DescriptionCVE.org

Improper handling of Unicode encoding in SonicWall SMA1000 series appliances allows a remote authenticated SSLVPN user to bypass Workplace/Connect Tunnel TOTP authentication.

AnalysisAI

Two-factor authentication bypass in SonicWall SMA1000 SSL-VPN allows remote attackers with valid SSLVPN credentials to circumvent TOTP requirements via Unicode encoding manipulation. Affects SMA1000 versions 12.5.0-02283 and 12.4.3-03245 and earlier. Requires high-privilege (PR:H) authenticated access but enables complete authentication bypass (CVSS 7.2). Low EPSS score (0.03%, 10th percentile) indicates minimal observed exploitation likelihood. No public exploit code identified at time of analysis.

Technical ContextAI

The vulnerability stems from improper Unicode normalization or canonicalization (CWE-176) in the authentication flow of SonicWall SMA1000 series appliances. When users authenticate to Workplace or Connect Tunnel features requiring TOTP (Time-based One-Time Password) multi-factor authentication, the system fails to correctly process Unicode-encoded input. This character encoding flaw allows attackers to craft authentication requests with specially encoded Unicode characters that bypass the TOTP validation logic while still being accepted by other authentication components. SMA1000 appliances function as SSL-VPN gateways providing secure remote access, making authentication bypass vulnerabilities particularly critical to enterprise security posture. Unicode handling vulnerabilities typically exploit differences in how various system components normalize or compare strings containing non-ASCII characters, homoglyphs, or combining characters.

RemediationAI

Apply the vendor-released security updates immediately for affected SMA1000 appliances. SonicWall has published patches addressing this Unicode handling flaw, available through the official PSIRT advisory at https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2026-0003. Organizations should upgrade to the latest platform-hotfix versions that supersede 12.5.0-02283 for the 12.5.x branch and 12.4.3-03245 for the 12.4.x branch. Until patching is complete, implement compensating controls including enhanced monitoring of SSLVPN authentication logs for anomalous Unicode characters in authentication requests, enforcement of principle of least privilege to minimize high-privilege SSLVPN accounts (reducing PR:H attack surface), and consideration of additional authentication factors beyond TOTP if supported by the platform. Review access logs for evidence of exploitation attempts involving unusual character encodings in authentication flows.

CVE-2012-2962 MEDIUM POC
6.5 Jul 30

SQL injection vulnerability in d4d/statusFilter.php in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.2

CVE-2014-8420 CRITICAL POC
9.0 Nov 25

The ViewPoint web application in Dell SonicWALL Global Management System (GMS) before 7.2 SP2, SonicWALL Analyzer before

CVE-2012-3951 HIGH POC
7.5 Jul 31

The MySQL component in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) 9.0.1.19899 and earlier has a default passwor

CVE-2014-4977 MEDIUM POC
6.5 Jul 16

Multiple SQL injection vulnerabilities in Dell SonicWall Scrutinizer 11.0.1 allow remote authenticated users to execute

CVE-2012-2626 MEDIUM POC
5.0 Jul 31

cgi-bin/admin.cgi in the web console in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.0 does not requir

CVE-2016-9683 CRITICAL POC
9.8 Feb 22

The SonicWall Secure Remote Access server (version 8.1.0.2-14sv) is vulnerable to a Remote Command Injection vulnerabili

CVE-2016-9682 CRITICAL POC
9.8 Feb 22

The SonicWall Secure Remote Access server (version 8.1.0.2-14sv) is vulnerable to two Remote Command Injection vulnerabi

CVE-2023-34132 CRITICAL POC
9.8 Jul 13

Use of password hash instead of password for authentication vulnerability in SonicWall GMS and Analytics allows Pass-the

CVE-2023-34124 CRITICAL POC
9.8 Jul 13

The authentication mechanism in SonicWall GMS and Analytics Web Services had insufficient checks, allowing authenticatio

CVE-2016-9684 CRITICAL POC
9.8 Feb 22

The SonicWall Secure Remote Access server (version 8.1.0.2-14sv) is vulnerable to a Remote Command Injection vulnerabili

CVE-2023-34127 HIGH POC
8.8 Jul 13

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in SonicWall GM

CVE-2012-2627 CRITICAL POC
9.4 Jul 31

d4d/uploader.php in the web console in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.0 allows remote at

Share

CVE-2026-4116 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy