--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'Critical SQL Injection Vulnerability' version: '1.0' number: '2022-054' original_date: 'July 21, 2022' date: 'July 25, 2022' --- _History:_ * _25/07/2022 --- v1.0 -- Initial publication_ # Summary On July 21st, 2022, SonicWall released security patches for their **Analytics On-Prem** and **GMS** products, addressing a critical SQL injection flaw [1,2]. Currently, no reports of a proof of concept (PoC) have been made public and there is no active exploitation in the wild. Nevertheless, immediate update to the patched versions is recommended. # Technical Details The vulnerability is being tracked as CVE-2022-22280, it has been rated as critical (CVSS 9.4) and it allows **unauthenticated SQL injection** due to an Improper Neutralization of Special Elements used in an SQL command, impacting SonicWall GMS and Analytics On-Prem [1,2]. # Affected Products The following product versions are affected from this flaw: - GMS 9.3.1-SP2-Hotfix-1 and earlier - Analytics 2.5.0.3-2520 and earlier # Recommendations It is strongly recommended to update to the respective fixed versions: - GMS 9.3.1-SP2-Hotfix-2 - Analytics 2.5.0.3-Hotfix-1 Additionally, SonicWall suggests that the likelihood of exploitation may be significantly reduced by incorporating a Web Application Firewall (WAF) to block SQL injection attempts. # References [1] [2]