Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
An observable response discrepancy vulnerability in the SonicWall SMA1000 series appliances allows a remote attacker to enumerate SSL VPN user credentials.
AnalysisAI
SonicWall SMA1000 SSL VPN appliances allow remote authenticated administrators to enumerate valid user credentials through observable timing or response differences. Affects SMA1000 versions 12.4.3-03245 and earlier, plus 12.5.0-02283 and earlier. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires authenticated access with high-level administrative privileges (PR:H) to the SonicWall SMA1000 management interface. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Multi-signal analysis reveals moderate real-world priority despite High CVSS severity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has compromised a high-privilege administrator account on the SMA1000 appliance (through credential theft, social engineering, or separate vulnerability) uses the authenticated admin session to systematically probe the SSL VPN user authentication mechanism. By submitting login attempts with varying usernames and observing response timing differences or distinct error messages, the attacker builds a complete list of valid VPN user accounts. … |
| Remediation | Upgrade SMA1000 appliances to patched firmware versions released by SonicWall addressing SNWLID-2026-0003. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all SonicWall SMA1000 appliances in production and document current firmware versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
An improper privilege management vulnerability in the SonicWall NetExtender Windows (32 and 64 bit) client allows a low
SQL injection in SonicWall SMA1000 series appliances allows authenticated attackers with read-only administrator privile
An Improper Link Resolution Before File Access ('Link Following') vulnerability in SonicWall NetExtender Windows (32 and
A local privilege escalation vulnerability in SonicWall NetExtender Windows (32 and 64 bit) client which allows an attac
Two-factor authentication bypass in SonicWall SMA1000 SSL-VPN allows remote attackers with valid SSLVPN credentials to c
Remote authenticated SonicWall SMA1000 SSLVPN administrators can bypass AMC TOTP (Time-based One-Time Password) authenti
A Improper Link Resolution vulnerability (CWE-59) in the SonicWall Connect Tunnel Windows (32 and 64 bit) client, this r
Stored Cross-Site Scripting (XSS) in SonicWall Email Security allows authenticated admin users to inject and execute arb
Database corruption in SonicWall Email Security appliance via improper input sanitization allows authenticated admin use
SonicWall Email Security appliance becomes unresponsive due to improper input validation when an authenticated administr
Download of Code Without Integrity Check Vulnerability in the SonicWall Email Security appliance loads root filesystem i
SSL-VPN MFA Bypass in SonicWALL SSL-VPN can arise in specific cases due to the separate handling of UPN (User Principal
Same weakness CWE-204 – Observable Response Discrepancy
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20904
GHSA-fvcv-8g7r-6893