CVE-2020-5135
Published: 12 October 2020
Summary
CVE-2020-5135 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Sonicwall Sonicos. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 3.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
A buffer overflow vulnerability tracked as CVE-2020-5135 exists in SonicOS, the operating system used by SonicWall firewalls. The flaw, categorized under CWE-120, affects SonicOS Gen 6 versions 6.5.4.7, 6.5.1.12, and 6.0.5.3, SonicOSv 6.5.4.v, and Gen 7 version 7.0.0.0. It carries a CVSS 3.1 base score of 9.8, reflecting network-accessible attack conditions with no required authentication or user interaction.
A remote attacker can exploit the issue by sending a crafted request directly to the firewall, resulting in a denial of service and potential arbitrary code execution on the affected device.
The vulnerability is documented in SonicWall PSIRT advisory SNWLID-2020-0010 and appears in the CISA Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation activity against unpatched systems.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-26382
Vulnerability details
A buffer overflow vulnerability in SonicOS allows a remote attacker to cause Denial of Service (DoS) and potentially execute arbitrary code by sending a malicious request to the firewall. This vulnerability affected SonicOS Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv…
more
6.5.4.v and Gen 7 version 7.0.0.0.
- CWE(s)
- KEV Date Added
- 15 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all input to the firewall to reject or sanitize malformed requests that trigger the buffer overflow.
Applies memory-protection mechanisms that block exploitation of the buffer-overflow condition even if input validation is incomplete.
Mandates prompt installation of vendor patches that eliminate the CWE-120 flaw in the affected SonicOS versions.