SonicWall Issues Critical Patch for SMA 1000 Series to Stop SQL Injection and MFA Bypasses

SonicWall has released a series of patches for its SMA 1000 series appliances to address four distinct vulnerabilities. The flaws range from a high-severity SQL injection that allows privilege escalation to sophisticated Unicode-based bypasses of multi-factor authentication (MFA).

While there is currently no evidence that these vulnerabilities are being exploited in the wild, the potential for unauthorized access to secure enterprise networks has prompted an urgent call for administrators to update their systems.

The most severe vulnerability in the advisory, tracked as CVE-2026-4112, is a high-severity SQL injection flaw with a CVSS score of 7.2. This vulnerability involves the “improper neutralization of special elements used in an SQL command”.

The flaw is particularly dangerous because it “allows a remote authenticated attacker with read-only administrator privileges to escalate privileges to primary administrator”. This means an insider or a compromised low-level account could effectively seize total control of the security appliance.

SonicWall also detailed two vulnerabilities that specifically target Time-based One-Time Password (TOTP) authentication, a common form of MFA:

• AMC TOTP Bypass (CVE-2026-4114): Rated at a 6.6 severity, this flaw stems from the “improper handling of Unicode encoding”. It allows a remote authenticated SSLVPN admin to bypass AMC TOTP authentication entirely.
• Workplace/Connect Tunnel Bypass (CVE-2026-4116): Similarly, this 6.0 severity flaw uses Unicode encoding issues to allow an authenticated SSLVPN user to “bypass Workplace/Connect Tunnel TOTP authentication”.

By weaponizing these Unicode discrepancies, attackers can neutralize the very secondary security layers meant to keep them out.

Rounding out the report is a medium-severity Observable Response Discrepancy. This vulnerability, tracked as CVE-2026-4113, allows a remote attacker to “enumerate SSL VPN user credentials” by analyzing slight differences in how the system responds to login attempts. This information can be used to build targeted lists for future brute-force or phishing campaigns.

The vulnerabilities impact specific versions of the SMA 1000 series infrastructure:

• SMA 1000: Versions 12.4.3-03245 (platform-hotfix) and earlier.

• SMA 1000: Version 12.5.0-02283 (platform-hotfix) and earlier.

SonicWall explicitly stated that these vulnerabilities do not affect the SSL-VPN features running on SonicWall firewall products.

SonicWall “strongly advises users of the SMA1000 series appliances to upgrade” to the latest fixed release versions immediately. Administrators should ensure they are running versions beyond the hotfixes listed above to mitigate these risks and maintain a robust security posture for their remote access environments.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy