SonicWall has released a security advisory addressing three newly discovered vulnerabilities in its SonicOS software, affecting a wide range of its Generation 6, 7, and 8 firewall products. Discovered by the Advanced Research Team at CrowdStrike, these flaws could allow attackers to bypass access controls, reach restricted services, or crash firewall devices through a denial-of-service condition. Administrators are urged to apply firmware updates immediately.
The Three SonicOS Vulnerabilities
The advisory outlines three distinct security flaws, each with different attack vectors and severity levels:
- CVE-2026-0204 (CVSS 8.0 — High): An improper access control flaw that allows attackers to access certain management interface functions under specific conditions due to weak authentication enforcement. This is the most severe of the three vulnerabilities and could grant an unauthenticated attacker elevated access to management capabilities that should be restricted.
- CVE-2026-0205 (CVSS 6.8 — Medium): A post-authentication path-traversal vulnerability enabling an authenticated attacker to access services that are normally restricted. While exploitation requires valid credentials, it could be used as part of a privilege escalation chain following initial account compromise.
- CVE-2026-0206 (CVSS 4.9 — Medium): A post-authentication stack-based buffer overflow that permits a remote attacker to crash the firewall device, resulting in a denial-of-service condition. In high-availability environments, this could cause unexpected failover or service disruption.
Affected Products and Firmware Versions
The vulnerabilities impact a broad range of SonicWall hardware and virtual firewalls across multiple product generations:
- Generation 6 hardware firewalls running version 6.5.5.1-6n and older
- Generation 7 firewalls running versions 7.0.1-5169 or 7.3.1-7013 and earlier
- Generation 7 NSv virtual platforms on versions 7.0.1-5169 and 7.3.1-7013 or older
- Generation 8 firewalls running version 8.1.0-8017 and older
Patched Firmware Versions
SonicWall has released fixed firmware to resolve all three vulnerabilities. Administrators should upgrade to the following versions as soon as possible:
- Gen 6 devices: Version 6.5.5.2-28n
- Gen 7 devices: Version 7.3.2-7010
- Gen 8 devices: Version 8.2.0-8009
Important Warning for Generation 6 Device Owners
Organizations operating Generation 6 firewalls must exercise particular caution when updating to the fixed version 6.5.5.2-28n. SonicWall explicitly warns against downgrading from this patched firmware to any previous version: performing a firmware downgrade on Gen6 devices will result in the deletion of all LDAP users and a complete reset of all Multi-Factor Authentication configurations. If a downgrade becomes necessary, administrators will need to manually reconfigure all LDAP and MFA settings from scratch.
SonicWall strongly advises performing a full configuration backup before beginning any upgrade process to prevent data loss and facilitate recovery if needed.
Interim Mitigations If Immediate Patching Is Not Possible
For organizations that cannot immediately deploy the patched firmware, SonicWall recommends the following temporary measures:
- Completely disable HTTP and HTTPS-based firewall management on all interfaces to reduce the attack surface for CVE-2026-0204
- Disable SSLVPN on all interfaces until patching is complete
- Restrict administrative access exclusively to SSH to maintain control while limiting exposure
- Implement network-level access controls to restrict who can reach the management interface
Context and Risk Assessment
SonicWall firewalls are widely deployed across enterprise networks, managed service providers, and critical infrastructure environments. Vulnerabilities in these devices are high-value targets for threat actors: a successfully exploited access control bypass (CVE-2026-0204) could allow attackers to tamper with firewall rules, VPN configurations, or routing policies — potentially opening pathways into otherwise protected network segments.
It is worth noting that SonicWall products have previously been targeted by ransomware groups and state-sponsored actors. Historical exploitation of SonicWall vulnerabilities has led to significant breaches at organizations globally, underscoring the importance of prompt patching. CrowdStrike’s Advanced Research Team deserves credit for the responsible disclosure that enabled SonicWall to prepare patches before these flaws were weaponised in the wild.
Administrators should treat this advisory as urgent, prioritize patching internet-facing firewall management interfaces first, and verify their firmware versions against the affected list before assuming they are protected.