Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Improper handling of Unicode encoding in SonicWall SMA1000 series appliances allows a remote authenticated SSLVPN user to bypass Workplace/Connect Tunnel TOTP authentication.
AnalysisAI
Two-factor authentication bypass in SonicWall SMA1000 SSL-VPN allows remote attackers with valid SSLVPN credentials to circumvent TOTP requirements via Unicode encoding manipulation. Affects SMA1000 versions 12.5.0-02283 and 12.4.3-03245 and earlier. Requires high-privilege (PR:H) authenticated access but enables complete authentication bypass (CVSS 7.2). Low EPSS score (0.03%, 10th percentile) indicates minimal observed exploitation likelihood. No public exploit code identified at time of analysis.
Technical ContextAI
The vulnerability stems from improper Unicode normalization or canonicalization (CWE-176) in the authentication flow of SonicWall SMA1000 series appliances. When users authenticate to Workplace or Connect Tunnel features requiring TOTP (Time-based One-Time Password) multi-factor authentication, the system fails to correctly process Unicode-encoded input. This character encoding flaw allows attackers to craft authentication requests with specially encoded Unicode characters that bypass the TOTP validation logic while still being accepted by other authentication components. SMA1000 appliances function as SSL-VPN gateways providing secure remote access, making authentication bypass vulnerabilities particularly critical to enterprise security posture. Unicode handling vulnerabilities typically exploit differences in how various system components normalize or compare strings containing non-ASCII characters, homoglyphs, or combining characters.
RemediationAI
Apply the vendor-released security updates immediately for affected SMA1000 appliances. SonicWall has published patches addressing this Unicode handling flaw, available through the official PSIRT advisory at https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2026-0003. Organizations should upgrade to the latest platform-hotfix versions that supersede 12.5.0-02283 for the 12.5.x branch and 12.4.3-03245 for the 12.4.x branch. Until patching is complete, implement compensating controls including enhanced monitoring of SSLVPN authentication logs for anomalous Unicode characters in authentication requests, enforcement of principle of least privilege to minimize high-privilege SSLVPN accounts (reducing PR:H attack surface), and consideration of additional authentication factors beyond TOTP if supported by the platform. Review access logs for evidence of exploitation attempts involving unusual character encodings in authentication flows.
SQL injection vulnerability in d4d/statusFilter.php in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.2
The ViewPoint web application in Dell SonicWALL Global Management System (GMS) before 7.2 SP2, SonicWALL Analyzer before
The MySQL component in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) 9.0.1.19899 and earlier has a default passwor
Multiple SQL injection vulnerabilities in Dell SonicWall Scrutinizer 11.0.1 allow remote authenticated users to execute
cgi-bin/admin.cgi in the web console in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.0 does not requir
The SonicWall Secure Remote Access server (version 8.1.0.2-14sv) is vulnerable to a Remote Command Injection vulnerabili
The SonicWall Secure Remote Access server (version 8.1.0.2-14sv) is vulnerable to two Remote Command Injection vulnerabi
Use of password hash instead of password for authentication vulnerability in SonicWall GMS and Analytics allows Pass-the
The authentication mechanism in SonicWall GMS and Analytics Web Services had insufficient checks, allowing authenticatio
The SonicWall Secure Remote Access server (version 8.1.0.2-14sv) is vulnerable to a Remote Command Injection vulnerabili
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in SonicWall GM
d4d/uploader.php in the web console in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.0 allows remote at
Same weakness CWE-176 – Improper Handling of Unicode Encoding
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20908
GHSA-98v3-fwpf-r4w2