{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4116", "assignerOrgId": "44b2ff79-1416-4492-88bb-ed0da00c7315", "state": "PUBLISHED", "assignerShortName": "sonicwall", "dateReserved": "2026-03-13T12:13:43.715Z", "datePublished": "2026-04-09T14:27:29.341Z", "dateUpdated": "2026-04-13T18:26:18.229Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "44b2ff79-1416-4492-88bb-ed0da00c7315", "shortName": "sonicwall", "dateUpdated": "2026-04-09T14:27:29.341Z"}, "datePublic": "2026-04-09T05:11:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-176", "description": "CWE-176 Improper handling of unicode encoding", "type": "CWE"}]}], "affected": [{"vendor": "SonicWall", "product": "SMA1000", "platforms": ["Linux"], "versions": [{"status": "affected", "version": "12.4.3-03245 (platform-hotfix) and earlier versions."}, {"status": "affected", "version": "12.5.0-02283 (platform-hotfix) and earlier versions."}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "Improper handling of Unicode encoding in SonicWall SMA1000 series appliances allows a remote authenticated SSLVPN user to bypass Workplace/Connect Tunnel TOTP authentication.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Improper handling of Unicode encoding in SonicWall SMA1000 series appliances allows a remote authenticated SSLVPN user to bypass Workplace/Connect Tunnel TOTP authentication.</p>"}]}], "references": [{"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2026-0003", "tags": ["vendor-advisory"]}], "source": {"advisory": "SNWLID-2026-0003", "discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T18:26:14.491064Z", "id": "CVE-2026-4116", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T18:26:18.229Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-4116", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-13T18:26:14.491064Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T18:26:07.744Z"}}], "cna": {"source": {"advisory": "SNWLID-2026-0003", "discovery": "EXTERNAL"}, "affected": [{"vendor": "SonicWall", "product": "SMA1000", "versions": [{"status": "affected", "version": "12.4.3-03245 (platform-hotfix) and earlier versions."}, {"status": "affected", "version": "12.5.0-02283 (platform-hotfix) and earlier versions."}], "platforms": ["Linux"], "defaultStatus": "unknown"}], "datePublic": "2026-04-09T05:11:00.000Z", "references": [{"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2026-0003", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Improper handling of Unicode encoding in SonicWall SMA1000 series appliances allows a remote authenticated SSLVPN user to bypass Workplace/Connect Tunnel TOTP authentication.", "supportingMedia": [{"type": "text/html", "value": "<p>Improper handling of Unicode encoding in SonicWall SMA1000 series appliances allows a remote authenticated SSLVPN user to bypass Workplace/Connect Tunnel TOTP authentication.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-176", "description": "CWE-176 Improper handling of unicode encoding"}]}], "providerMetadata": {"orgId": "44b2ff79-1416-4492-88bb-ed0da00c7315", "shortName": "sonicwall", "dateUpdated": "2026-04-09T14:27:29.341Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4116", "state": "PUBLISHED", "dateUpdated": "2026-04-13T18:26:18.229Z", "dateReserved": "2026-03-13T12:13:43.715Z", "assignerOrgId": "44b2ff79-1416-4492-88bb-ed0da00c7315", "datePublished": "2026-04-09T14:27:29.341Z", "assignerShortName": "sonicwall"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:sonicwall:sma6210_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "4DBCAA68-BFC4-4282-BE32-5BE837C01D78", "versionEndExcluding": "12.4.3-03387", "vulnerable": true}, {"criteria": "cpe:2.3:o:sonicwall:sma6210_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "9A037764-3A32-4BDA-9A30-5B37C18CD08D", "versionEndExcluding": "12.5.0-02624", "versionStartIncluding": "12.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:sonicwall:sma6210:-:*:*:*:*:*:*:*", "matchCriteriaId": "7B24D300-1154-49A1-A1F3-FB0CC717166A", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:sonicwall:sma6200_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "987A8BE1-77A9-4672-933B-ACD501DD3AB4", "versionEndExcluding": "12.4.3-03387", "vulnerable": true}, {"criteria": "cpe:2.3:o:sonicwall:sma6200_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "87A919DB-A894-4ED9-8934-C7C007AACF68", "versionEndExcluding": "12.5.0-02624", "versionStartIncluding": "12.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:sonicwall:sma6200:-:*:*:*:*:*:*:*", "matchCriteriaId": "57B3C90F-F633-41B9-855E-902F6DC8ACA5", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:sonicwall:sma7200_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "6C562F03-50C0-4ED7-8AD6-4CF3C5862D13", "versionEndExcluding": "12.4.3-03387", "vulnerable": true}, {"criteria": "cpe:2.3:o:sonicwall:sma7200_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "BFF37E70-755D-425E-84C6-DDB975288187", "versionEndExcluding": "12.5.0-02624", "versionStartIncluding": "12.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:sonicwall:sma7200:-:*:*:*:*:*:*:*", "matchCriteriaId": "4F7B4ED9-7A57-48DC-AAEC-A2C2EAFF3B64", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:sonicwall:sma7210_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "3616EEFA-CEB8-4E9C-A53C-356C78DC1244", "versionEndExcluding": "12.4.3-03387", "vulnerable": true}, {"criteria": "cpe:2.3:o:sonicwall:sma7210_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "0FE09110-AA3D-4466-8C32-2480D1135AF7", "versionEndExcluding": "12.5.0-02624", "versionStartIncluding": "12.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:sonicwall:sma7210:-:*:*:*:*:*:*:*", "matchCriteriaId": "E9B414C5-C376-4216-A267-ABC0930905CE", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sonicwall:sma8200v:*:*:*:*:*:*:*:*", "matchCriteriaId": "E9C76A87-8E12-493D-8F14-D73D83DF641E", "versionEndExcluding": "12.4.3-03387", "vulnerable": true}, {"criteria": "cpe:2.3:a:sonicwall:sma8200v:*:*:*:*:*:*:*:*", "matchCriteriaId": "48715079-B463-4626-971E-203EB3EDDAAB", "versionEndExcluding": "12.5.0-02624", "versionStartIncluding": "12.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper handling of Unicode encoding in SonicWall SMA1000 series appliances allows a remote authenticated SSLVPN user to bypass Workplace/Connect Tunnel TOTP authentication."}], "id": "CVE-2026-4116", "lastModified": "2026-05-14T19:33:35.060", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-09T15:16:14.010", "references": [{"source": "PSIRT@sonicwall.com", "tags": ["Vendor Advisory"], "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2026-0003"}], "sourceIdentifier": "PSIRT@sonicwall.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-176"}], "source": "PSIRT@sonicwall.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["linux"], "status": "affected", "versions": {"scheme": "semver", "value": "[0,12.4.3-03245]"}}, {"platform": ["linux"], "status": "affected", "versions": {"scheme": "semver", "value": "[0,12.5.0-02283]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "SMA1000", "source": "cna", "vendor": "SonicWall"}, "product": "sma1000", "vendor": "sonicwall"}], "analysis": {"en": {"generated_at": "2026-04-13T21:11:03.400634+00:00", "value": {"mitigation_remediation": ["Check the SonicWall PSIRT portal for the latest firmware update that addresses Unicode handling in the SMA1000 series and apply the patch as soon as it is available.", "Verify after upgrading that Workplace/Connect Tunnel TOTP authentication behaves correctly by attempting a test login with a valid OTP.", "Monitor SSLVPN logs for anomalous login attempts that lack OTP confirmation, and investigate any instances where authentication succeeds without the expected TOTP prompt.", "If an update is not yet available, temporarily disable TOTP enforcement for SSLVPN sessions or restrict access to the appliance until the vendor releases a remediation."], "summary": {"action": "Patch Immediately", "impact": "Bypass of TOTP authentication protecting SSLVPN sessions"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all SonicWall SMA1000 appliances. No specific firmware versions are listed, so all current releases of the SMA1000 series should be considered at risk until a patch is applied.", "description_and_impact": "Improper handling of Unicode encoding in SonicWall SMA1000 series appliances enables a remote authenticated SSLVPN user to bypass Workplace/Connect Tunnel TOTP authentication. This bug can allow an attacker who is already authenticated to substitute a malformed Unicode character and cause the system to skip the one\u2011time password challenge, granting unauthorized access and potentially exposing protected data. The weakness corresponds to CWE\u2011176 (Improper Encoding), and it directly undermines the confidentiality and integrity of user sessions.", "risk_and_exploitability": "The CVSS score of 7.2 indicates high severity, while an EPSS value below 1\u202f% signals a low probability of widespread exploitation. The vulnerability is not yet listed in the CISA KEV catalog. The attack requires a malicious Unicode input designed to exploit the encoding flaw, and the attacker must already be authenticated via SSLVPN. Because the flaw directly bypasses the TOTP challenge, exploitation could lead to full session takeover if troubleshooting or administrative privileges are granted. The likely attack vector is remote authenticated\u2014an attacker who can log into the SSLVPN can send the crafted Unicode payload and bypass the two\u2011factor step."}}}}, "created": "2026-04-10T08:53:34.939191+00:00", "updated": "2026-04-14T16:36:56.971212+00:00", "vendors": ["sonicwall", "sonicwall$PRODUCT$sma1000"]}