CVE-2022-22274
published 2022-03-25CVE-2022-22274: A Stack-based buffer overflow vulnerability in the SonicOS via HTTP request allows a remote unauthenticated attacker to cause Denial of Service (DoS) or…
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
57.32%
99.0th percentile
A Stack-based buffer overflow vulnerability in the SonicOS via HTTP request allows a remote unauthenticated attacker to cause Denial of Service (DoS) or potentially results in code execution in the firewall.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sonicwall | sonicos | <= 7.0.1-5050 | — |
| sonicwall | sonicos | <= 7.0.1-r579 | — |
| sonicwall | sonicos | — | — |
| sonicwall | sonicos | — | — |
| sonicwall | sonicos | — | — |
| sonicwall | sonicosv | <= 6.5.4.4-44v-21-1452 | — |
Detection & IOCsextracted from sources · hover to see the quote
urlgithub.com/BishopFox/CVE-2022-22274_CVE-2023-0656
path/resources/
path/atp/
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2022-22274) M1"; flow:established,to_server; urilen:>1024; http.uri; content:"/resources/"; startswith; http.protocol; bsize:>8; reference:url,github.com/BishopFox/CVE-2022-22274_CVE-2023-0656; reference:cve,2022-22274; classtype:attempted-dos; sid:2061248; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_02, cve CVE_2022_22274, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Moderate, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2022-22274) M2"; flow:established,to_server; urilen:>1024; http.uri; content:"/atp/"; startswith; http.protocol; bsize:>8; reference:url,github.com/BishopFox/CVE-2022-22274_CVE-2023-0656; reference:cve,2022-22274; classtype:attempted-dos; sid:2061251; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_02, cve CVE_2022_22274, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit triggers on HTTP requests with URI length greater than 1024 bytes targeting specific URI paths on SonicWall management interfaces; two confirmed URI paths for CVE-2022-22274 are /resources/ and /atp/ ↗
- →CVE-2022-22274 and CVE-2023-0656 share the same vulnerable code pattern but are exploitable at different HTTP URI paths; exploit for CVE-2022-22274 worked against three additional URI paths beyond those of CVE-2023-0656 ↗
- →At least one public proof-of-concept exploit exists for CVE-2022-22274, published by SSD Labs with a technical writeup noting two URI paths where the bug can be triggered ↗
- →Successful exploitation can force the SonicWall appliance into maintenance mode; monitor for unexpected device reboots or maintenance mode transitions as a post-exploitation indicator ↗
- →Detection should be deployed at the perimeter and on SSL/TLS-decrypting inspection points, as the attack is carried over HTTP/HTTPS to the management interface ↗
- ·The Snort/ET rules for CVE-2022-22274 require TLS decryption (tls_state TLSDecrypt) to inspect HTTPS management traffic; without SSL inspection the rules will not fire on encrypted sessions ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8348-4cmv-mvvp: A Stack-based buffer overflow vulnerability in the SonicOS via HTTP request allows a remote unauthenticated attacker to cause Denial of Service (DoS)
ghsa_unreviewed·2022-03-27
CVE-2022-22274 [CRITICAL] CWE-787 GHSA-8348-4cmv-mvvp: A Stack-based buffer overflow vulnerability in the SonicOS via HTTP request allows a remote unauthenticated attacker to cause Denial of Service (DoS)
A Stack-based buffer overflow vulnerability in the SonicOS via HTTP request allows a remote unauthenticated attacker to cause Denial of Service (DoS) or potentially results in code execution in the firewall.
VulnCheck
SonicWall sonicos Stack-based Buffer Overflow
vulncheck·2022·CVSS 9.8
CVE-2022-22274 [CRITICAL] SonicWall sonicos Stack-based Buffer Overflow
SonicWall sonicos Stack-based Buffer Overflow
A Stack-based buffer overflow vulnerability in the SonicOS via HTTP request allows a remote unauthenticated attacker to cause Denial of Service (DoS) or potentially results in code execution in the firewall.
Affected: SonicWall sonicos
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-09-12&host_type=src&vulnerability=cve-2022-22274; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-09-13&host_type=src&vulnerability=cve-2022-22274; https://dashboard.shadowserver.org/statistics/honeypot/vulnerabilit
Suricata
ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2023-0656) M1
suricata·2025-04-02·CVSS 9.8
CVE-2023-0656 [CRITICAL] ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2023-0656) M1
ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2023-0656) M1
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2023-0656) M1"; flow:established,to_server; urilen:>1024; http.uri; content:"/stats/"; startswith; http.protocol; bsize:>8; reference:url,github.com/BishopFox/CVE-2022-22274_CVE-2023-0656; reference:cve,2023-0656; classtype:attempted-dos; sid:2061253; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_02, cve CVE_2023_0656, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Moderate, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04
Suricata
ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2022-22274) M1
suricata·2025-04-02·CVSS 9.8
CVE-2022-22274 [CRITICAL] ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2022-22274) M1
ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2022-22274) M1
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2022-22274) M1"; flow:established,to_server; urilen:>1024; http.uri; content:"/resources/"; startswith; http.protocol; bsize:>8; reference:url,github.com/BishopFox/CVE-2022-22274_CVE-2023-0656; reference:cve,2022-22274; classtype:attempted-dos; sid:2061248; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_02, cve CVE_2022_22274, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Moderate, confidence High, signature_severity Major, tag Exploit, updated_at
Suricata
ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2022-22274) M2
suricata·2025-04-02·CVSS 9.8
CVE-2022-22274 [CRITICAL] ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2022-22274) M2
ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2022-22274) M2
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2022-22274) M2"; flow:established,to_server; urilen:>1024; http.uri; content:"/atp/"; startswith; http.protocol; bsize:>8; reference:url,github.com/BishopFox/CVE-2022-22274_CVE-2023-0656; reference:cve,2022-22274; classtype:attempted-dos; sid:2061251; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_02, cve CVE_2022_22274, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_02
Suricata
ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2023-0656) M2
suricata·2025-04-02·CVSS 9.8
CVE-2023-0656 [CRITICAL] ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2023-0656) M2
ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2023-0656) M2
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2023-0656) M2"; flow:established,to_server; urilen:>1024; http.uri; content:"/Security_Services"; startswith; http.protocol; bsize:>8; reference:url,github.com/BishopFox/CVE-2022-22274_CVE-2023-0656; reference:cve,2023-0656; classtype:attempted-dos; sid:2061256; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_02, cve CVE_2023_0656, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2
No public exploits indexed.
Greynoiseio
Active Reconnaissance Campaign Targets SonicWall Firewalls Through Commercial Proxy Infrastructure
blogs_greynoiseio·2026-02-27
Active Reconnaissance Campaign Targets SonicWall Firewalls Through Commercial Proxy Infrastructure
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bleepingcomputer
Over 178K SonicWall firewalls vulnerable to DoS, potential RCE attacks
blogs_bleepingcomputer·2024-01-15·CVSS 9.8
CVE-2022-22274 [CRITICAL] Over 178K SonicWall firewalls vulnerable to DoS, potential RCE attacks
## Over 178K SonicWall firewalls vulnerable to DoS, potential RCE attacks
## Sergiu Gatlan
Security researchers have found over 178,000 SonicWall next-generation firewalls (NGFW) with the management interface exposed online are vulnerable to denial-of-service (DoS) and potential remote code execution (RCE) attacks.
These appliances are affected by two DoS security flaws tracked as CVE-2022-22274 and CVE-2023-0656 , the former also allowing attackers to gain remote code execution.
"Using BinaryEdge source data, we scanned SonicWall firewalls with management interfaces exposed to the internet and found that 76% (178,637 of 233,984) are vulnerable to one or both issues," said Jon Williams, a Senior Security Engineer at Bishop Fox.
Although the two vulnerabilities are essentially the same
2022-03-25
Published
Exploited in the wild