CVE-2023-34124
published 2023-07-13CVE-2023-34124: The authentication mechanism in SonicWall GMS and Analytics Web Services had insufficient checks, allowing authentication bypass. This issue affects GMS…
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
40.89%
98.5th percentile
The authentication mechanism in SonicWall GMS and Analytics Web Services had insufficient checks, allowing authentication bypass. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sonicwall | analytics | <= 2.5.0.4-r7 | — |
| sonicwall | analytics | — | — |
| sonicwall | global_management_system | < 9.3.2 | 9.3.2 |
| sonicwall | global_management_system | — | — |
| sonicwall | gms | — | — |
| sonicwall | gms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/ws/msw/tenant/%27%20union%20select%20%28select%20ID%20from%20SGMSDB.DOMAINS%20limit%201%29%2C%20%27%27%2C%20%27%27%2C%20%27%27%2C%20%27%27%2C%20%27%27%2C%20%28select%20concat%28id%2C%20%27%3A%27%2C%20password%29%20from%20sgmsdb.users%20where%20active%20%3D%20%271%27%20order%20by%20issuperadmin%20desc%20limit%201%20offset%200%29%2C%27%27%2C%20%27%27%2C%20%27↗
commandaction=login&skipSessionCheck=0&needPwdChange=0&clientHash={{ md5(concat(servertoken,replace_regex(alias,"^.*:",""))) }}&password={{replace_regex(alias,"^.*:","")}}&applianceUser={{replace_regex(alias,":.*$","")}}&appliancePassword=Nice%20Try&ctlTimezoneOffset=0↗
- →Detect SQL injection auth bypass attempts against the GMS tenant web service endpoint: look for URL-encoded UNION SELECT payloads targeting SGMSDB.DOMAINS and sgmsdb.users tables in GET requests to /ws/msw/tenant/ ↗
- →Detect shell injection via the file_system task on /appliance/applianceMainPage: look for POST requests with action=file_system&task=search and searchFilter containing semicolons followed by bash commands (e.g., appliance.jar;bash) ↗
- →The exploit chain involves three stages: (1) SQL injection on /ws/msw/tenant/ with a custom Auth header containing user=system and HMAC-SHA1 signed with the hardcoded secret '?~!@#$%^^()'; (2) credential harvesting and login to /appliance/applianceMainPage; (3) shell injection via the file_system search task. Alert on any of these stages. ↗
- →Identify SonicWall GMS/Analytics exposed instances using favicon hash -1381126564 (Shodan/FOFA). Prioritize patching or monitoring of internet-facing assets matching this fingerprint. ↗
- →Monitor for uudecode-based payload staging in POST body to /appliance/applianceMainPage, specifically begin-base64 strings and execution of files dropped under /tmp/ with subsequent removal (rm /tmp/.<filename>). ↗
- →The response body for a successful appliance login step contains the string 'SonicWall Universal Management Appliance' or 'SonicWall Universal Management Host' — monitor for unexpected logins producing these responses from external IPs. ↗
- ·The HMAC-SHA1 authentication bypass relies on a hardcoded secret embedded in the GMS/Analytics application. The secret '?~!@#$%^^()' is used to sign the SQL injection query payload in the Auth header, enabling unauthenticated access to the /ws/msw/tenant/ endpoint. ↗
- ·The SQL injection query targets the SGMSDB.DOMAINS and sgmsdb.users tables, extracting the superadmin's id and password hash. The extracted credentials are then used to authenticate to the appliance management interface for the subsequent shell injection stage. ↗
- ·Affected versions are GMS 9.3.2-SP1 and earlier, and Analytics 2.5.0.4-R7 and earlier. The Metasploit module targets GMS versions <= 9.9.9320. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xc4x-f462-g6p7: The authentication mechanism in SonicWall GMS and Analytics Web Services had insufficient checks, allowing authentication bypass
ghsa_unreviewed·2023-07-13
CVE-2023-34124 [CRITICAL] CWE-287 GHSA-xc4x-f462-g6p7: The authentication mechanism in SonicWall GMS and Analytics Web Services had insufficient checks, allowing authentication bypass
The authentication mechanism in SonicWall GMS and Analytics Web Services had insufficient checks, allowing authentication bypass. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions.
VulnCheck
SonicWall analytics Authentication Bypass by Primary Weakness
vulncheck·2023·CVSS 9.8
CVE-2023-34124 [CRITICAL] SonicWall analytics Authentication Bypass by Primary Weakness
SonicWall analytics Authentication Bypass by Primary Weakness
The authentication mechanism in SonicWall GMS and Analytics Web Services had insufficient checks, allowing authentication bypass. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions.
Affected: SonicWall analytics
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2023-34124&date=2025-10-17; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2023-34124&date=2025-10-18; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2023-34124&date=2025-10-19; https://api.vulncheck.c
SonicWall
CVE-2023-34124: The authentication mechanism in SonicWall GMS and Analytics Web Services had insufficient checks, allowing authentication bypass. This issue affects G
vendor_sonicwall·2023-07-13·CVSS 9.8
CVE-2023-34124 [CRITICAL] CWE-305 CVE-2023-34124: The authentication mechanism in SonicWall GMS and Analytics Web Services had insufficient checks, allowing authentication bypass. This issue affects G
CVE-2023-34124: The authentication mechanism in SonicWall GMS and Analytics Web Services had insufficient checks, allowing authentication bypass. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions.
No detection rules found.
Nuclei
SonicWall GMS and Analytics Web Services - Shell Injection
nuclei·CVSS 9.8
CVE-2023-34124 [CRITICAL] SonicWall GMS and Analytics Web Services - Shell Injection
SonicWall GMS and Analytics Web Services - Shell Injection
The authentication mechanism in SonicWall GMS and Analytics Web Services had insufficient checks, allowing authentication bypass. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions
Template:
id: CVE-2023-34124
info:
name: SonicWall GMS and Analytics Web Services - Shell Injection
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
The authentication mechanism in SonicWall GMS and Analytics Web Services had insufficient checks, allowing authentication bypass. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions
impact: |
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, an
Metasploit
Sonicwall
metasploit
Sonicwall
Sonicwall
This module exploits a series of vulnerabilities - including auth bypass, SQL injection, and shell injection - to obtain remote code execution on SonicWall GMS versions <= 9.9.9320.
http://packetstormsecurity.com/files/174571/Sonicwall-GMS-9.9.9320-Remote-Code-Execution.htmlhttps://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0010https://www.sonicwall.com/support/notices/230710150218060http://packetstormsecurity.com/files/174571/Sonicwall-GMS-9.9.9320-Remote-Code-Execution.htmlhttps://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0010https://www.sonicwall.com/support/notices/230710150218060
2023-07-13
Published
Exploited in the wild