SonicWall has recently disclosed a critical security vulnerability in its SSLVPN service, identified as CVE-2025-32818, which allows unauthenticated remote attackers to crash affected firewall appliances. This flaw poses a significant risk to enterprise networks by potentially causing Denial-of-Service (DoS) conditions that disrupt critical network services.
Understanding the Vulnerability
The vulnerability stems from a NULL Pointer Dereference issue within the SonicOS SSLVPN Virtual Office interface. This flaw enables attackers to remotely trigger a firewall crash without requiring authentication, leading to a DoS condition. Jon Williams of Bishop Fox, who discovered the vulnerability, explained that exploitation forces the device to reference a NULL pointer, causing the firewall to crash and restart. Given that the attack requires no authentication, it presents a significant risk to internet-facing SonicWall devices.
Affected Products and Firmware Versions
The vulnerability impacts several SonicWall products, including:
– Gen7 NSv Models: NSv 270, NSv 470, NSv 870
– Gen7 Firewalls: TZ series (TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ570P, TZ670), NSa series (NSa 2700, NSa 3700, NSa 4700, NSa 5700, NSa 6700), and NSsp series (NSsp 10700, NSsp 11700, NSsp 13700, NSsp 15700)
– TZ80 Model: Firmware version 8.0.0-8037 and earlier
Specifically, the affected firmware versions are 7.1.1-7040 to 7.1.3-7015 for Gen7 devices. Notably, SonicOS GEN6 and GEN7 7.0.x firmware versions are not vulnerable to this exploit.
Mitigation and Recommendations
SonicWall has released fixed firmware versions to address this vulnerability. Affected customers are strongly advised to upgrade to firmware version 7.2.0-7015 or higher for Gen7 devices, or 8.0.1-8017 or higher for TZ80 models. As no workaround is available, applying these firmware updates is the only effective mitigation against this vulnerability.
Organizations with affected devices should implement these patches immediately, especially for internet-facing firewalls. Additionally, monitoring devices for signs of exploitation, such as unexpected reboots or service disruptions, is recommended.
Broader Context of SonicWall Vulnerabilities
This disclosure is part of a series of vulnerabilities affecting SonicWall devices. In December 2024, over 25,000 publicly accessible SonicWall SSLVPN devices were found vulnerable to critical flaws, with 20,000 using unsupported firmware versions. These vulnerabilities have been exploited by ransomware groups, including Akira, to gain initial access to corporate networks.
In January 2025, SonicWall urged administrators to patch an authentication bypass vulnerability in SSL VPN and SSH management, tracked as CVE-2024-53704, which was susceptible to actual exploitation. The company released patches and recommended immediate upgrades to prevent potential attacks.
Furthermore, in February 2025, security researchers at Bishop Fox published exploitation details for CVE-2024-53704, allowing attackers to hijack active SSL VPN sessions without authentication. This vulnerability enabled unauthorized access to victims’ networks, emphasizing the importance of timely patching and robust security measures.
Conclusion
The disclosure of CVE-2025-32818 underscores the critical need for organizations to stay vigilant and proactive in addressing security vulnerabilities. Regularly updating firmware, monitoring for signs of exploitation, and implementing robust security practices are essential steps in safeguarding enterprise networks against potential threats.
