Cyber Resilience

CVE-2026-4116

HighUpdated

Published: 09 April 2026

Published
09 April 2026
Modified
14 May 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0016 36.8th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4116 is a high-severity Improper Handling of Unicode Encoding (CWE-176) vulnerability in Sonicwall Sma6210 Firmware. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Multi-Factor Authentication (T1556.006); ranked at the 36.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-4116 is a vulnerability stemming from improper handling of Unicode encoding, classified under CWE-176, in SonicWall SMA1000 series appliances. It enables a remote authenticated SSLVPN user to bypass Time-based One-Time Password (TOTP) authentication for the Workplace/Connect Tunnel feature. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.

Exploitation requires a remote attacker with high privileges, specifically an authenticated SSLVPN user account (PR:H). Once exploited over the network with low complexity and no user interaction, the attacker can circumvent TOTP protections for Workplace/Connect Tunnel access, potentially gaining unauthorized elevated access within the VPN environment and leading to high-impact compromise across the CIA triad.

SonicWall has documented the issue in their PSIRT advisory SNWLID-2026-0003, available at https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2026-0003, which provides further details on affected versions and recommended mitigations.

EU & UK References

Vulnerability details

Improper handling of Unicode encoding in SonicWall SMA1000 series appliances allows a remote authenticated SSLVPN user to bypass Workplace/Connect Tunnel TOTP authentication.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1556.006 Multi-Factor Authentication Defense Impairment
Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts.
Why these techniques?

Vulnerability enables bypassing TOTP MFA via flaw in authentication implementation, directly mapping to T1556.006.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-4113Same product: Sonicwall Sma6200
CVE-2025-40602Same product: Sonicwall Sma6200
CVE-2025-23006Same product: Sonicwall Sma6200
CVE-2024-53704Same vendor: Sonicwall
CVE-2026-0204Same vendor: Sonicwall
CVE-2025-40600Same vendor: Sonicwall
CVE-2025-40599Same vendor: Sonicwall
CVE-2025-71316Shared CWE-176
CVE-2006-10002Shared CWE-176
CVE-2026-7040Shared CWE-176

Affected Assets

sonicwall
sma6210 firmware
≤ 12.4.3-03387 · 12.5.0 — 12.5.0-02624
sonicwall
sma6200 firmware
≤ 12.4.3-03387 · 12.5.0 — 12.5.0-02624
sonicwall
sma7200 firmware
≤ 12.4.3-03387 · 12.5.0 — 12.5.0-02624
sonicwall
sma7210 firmware
≤ 12.4.3-03387 · 12.5.0 — 12.5.0-02624
sonicwall
sma8200v
≤ 12.4.3-03387 · 12.5.0 — 12.5.0-02624

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the improper Unicode encoding handling (CWE-176) by requiring validation of inputs to the TOTP authentication process in the SSLVPN appliance.

prevent

Requires timely identification, reporting, and correction of the specific flaw enabling TOTP bypass in SonicWall SMA1000 series appliances.

prevent

Ensures receipt, dissemination, assessment, and response to the SonicWall PSIRT advisory SNWLID-2026-0003 for this vulnerability and its mitigations.

References