CVE-2023-0656
published 2023-03-02CVE-2023-0656: A Stack-based buffer overflow vulnerability in the SonicOS allows a remote unauthenticated attacker to cause Denial of Service (DoS), which could cause an…
PriorityP278high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
41.32%
98.5th percentile
A Stack-based buffer overflow vulnerability in the SonicOS allows a remote unauthenticated attacker to cause Denial of Service (DoS), which could cause an impacted firewall to crash.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sonicwall | sonicos | <= 7.0.1-5111 | — |
| sonicwall | sonicos | <= 7.0.1-5083 | — |
| sonicwall | sonicos | <= 6.5.4.4-44v-21-1551 | — |
| sonicwall | sonicos | — | — |
| sonicwall | sonicos | — | — |
| sonicwall | sonicos | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/stats/
path/Security_Services
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2023-0656) M1"; flow:established,to_server; urilen:>1024; http.uri; content:"/stats/"; startswith; http.protocol; bsize:>8; reference:url,github.com/BishopFox/CVE-2022-22274_CVE-2023-0656; reference:cve,2023-0656; classtype:attempted-dos; sid:2061253; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_02, cve CVE_2023_0656, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Moderate, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2023-0656) M2"; flow:established,to_server; urilen:>1024; http.uri; content:"/Security_Services"; startswith; http.protocol; bsize:>8; reference:url,github.com/BishopFox/CVE-2022-22274_CVE-2023-0656; reference:cve,2023-0656; classtype:attempted-dos; sid:2061256; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_02, cve CVE_2023_0656, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit traffic targets HTTP URI paths starting with /stats/ or /Security_Services with a URI length greater than 1024 bytes and an HTTP protocol field longer than 8 bytes — both conditions must be met simultaneously. ↗
- →CVE-2023-0656 and CVE-2022-22274 share the same vulnerable code pattern; exploit payloads for CVE-2022-22274 also work against /resources/ and /atp/ URI paths, which can be used as additional detection pivot points. ↗
- →Exploitation requires no authentication; any inbound HTTP request from an external host matching the URI and length conditions should be treated as a potential exploit attempt. ↗
- →Successful exploitation may force the device into maintenance mode; monitor for unexpected SonicWall firewall reboots or transitions to maintenance mode as a post-exploitation indicator. ↗
- →Signatures should be deployed at the perimeter and on SSL/TLS-decrypting inspection points, as the exploit may arrive over HTTPS; the ET rules explicitly require TLSDecrypt state.
- ·The Snort/Suricata rules (sid:2061253, sid:2061256) require TLS inspection to be active (tls_state TLSDecrypt); without SSL/TLS decryption enabled on the sensor, exploit traffic over HTTPS will not be detected.
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w97f-6vh7-h454: A Stack-based buffer overflow vulnerability in the SonicOS allows a remote unauthenticated attacker to cause Denial of Service (DoS), which could caus
ghsa_unreviewed·2023-03-03
CVE-2023-0656 [HIGH] CWE-787 GHSA-w97f-6vh7-h454: A Stack-based buffer overflow vulnerability in the SonicOS allows a remote unauthenticated attacker to cause Denial of Service (DoS), which could caus
A Stack-based buffer overflow vulnerability in the SonicOS allows a remote unauthenticated attacker to cause Denial of Service (DoS), which could cause an impacted firewall to crash.
VulnCheck
SonicWall sonicos Stack-based Buffer Overflow
vulncheck·2023·CVSS 7.5
CVE-2023-0656 [HIGH] SonicWall sonicos Stack-based Buffer Overflow
SonicWall sonicos Stack-based Buffer Overflow
A Stack-based buffer overflow vulnerability in the SonicOS allows a remote unauthenticated attacker to cause Denial of Service (DoS), which could cause an impacted firewall to crash.
Affected: SonicWall sonicos
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-09-12&host_type=src&vulnerability=cve-2023-0656; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-09-13&host_type=src&vulnerability=cve-2023-0656; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-09-14&host_
Suricata
ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2023-0656) M1
suricata·2025-04-02·CVSS 9.8
CVE-2023-0656 [CRITICAL] ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2023-0656) M1
ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2023-0656) M1
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2023-0656) M1"; flow:established,to_server; urilen:>1024; http.uri; content:"/stats/"; startswith; http.protocol; bsize:>8; reference:url,github.com/BishopFox/CVE-2022-22274_CVE-2023-0656; reference:cve,2023-0656; classtype:attempted-dos; sid:2061253; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_02, cve CVE_2023_0656, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Moderate, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04
Suricata
ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2022-22274) M1
suricata·2025-04-02·CVSS 9.8
CVE-2022-22274 [CRITICAL] ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2022-22274) M1
ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2022-22274) M1
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2022-22274) M1"; flow:established,to_server; urilen:>1024; http.uri; content:"/resources/"; startswith; http.protocol; bsize:>8; reference:url,github.com/BishopFox/CVE-2022-22274_CVE-2023-0656; reference:cve,2022-22274; classtype:attempted-dos; sid:2061248; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_02, cve CVE_2022_22274, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Moderate, confidence High, signature_severity Major, tag Exploit, updated_at
Suricata
ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2022-22274) M2
suricata·2025-04-02·CVSS 9.8
CVE-2022-22274 [CRITICAL] ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2022-22274) M2
ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2022-22274) M2
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2022-22274) M2"; flow:established,to_server; urilen:>1024; http.uri; content:"/atp/"; startswith; http.protocol; bsize:>8; reference:url,github.com/BishopFox/CVE-2022-22274_CVE-2023-0656; reference:cve,2022-22274; classtype:attempted-dos; sid:2061251; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_02, cve CVE_2022_22274, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_02
Suricata
ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2023-0656) M2
suricata·2025-04-02·CVSS 9.8
CVE-2023-0656 [CRITICAL] ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2023-0656) M2
ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2023-0656) M2
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2023-0656) M2"; flow:established,to_server; urilen:>1024; http.uri; content:"/Security_Services"; startswith; http.protocol; bsize:>8; reference:url,github.com/BishopFox/CVE-2022-22274_CVE-2023-0656; reference:cve,2023-0656; classtype:attempted-dos; sid:2061256; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_02, cve CVE_2023_0656, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2
No public exploits indexed.
Greynoiseio
Active Reconnaissance Campaign Targets SonicWall Firewalls Through Commercial Proxy Infrastructure
blogs_greynoiseio·2026-02-27
Active Reconnaissance Campaign Targets SonicWall Firewalls Through Commercial Proxy Infrastructure
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bleepingcomputer
Over 178K SonicWall firewalls vulnerable to DoS, potential RCE attacks
blogs_bleepingcomputer·2024-01-15·CVSS 9.8
CVE-2022-22274 [CRITICAL] Over 178K SonicWall firewalls vulnerable to DoS, potential RCE attacks
## Over 178K SonicWall firewalls vulnerable to DoS, potential RCE attacks
## Sergiu Gatlan
Security researchers have found over 178,000 SonicWall next-generation firewalls (NGFW) with the management interface exposed online are vulnerable to denial-of-service (DoS) and potential remote code execution (RCE) attacks.
These appliances are affected by two DoS security flaws tracked as CVE-2022-22274 and CVE-2023-0656 , the former also allowing attackers to gain remote code execution.
"Using BinaryEdge source data, we scanned SonicWall firewalls with management interfaces exposed to the internet and found that 76% (178,637 of 233,984) are vulnerable to one or both issues," said Jon Williams, a Senior Security Engineer at Bishop Fox.
Although the two vulnerabilities are essentially the same
2023-03-02
Published
Exploited in the wild