SonicWall addressed a critical SQL injection vulnerability, tracked as CVE-2022-22280 with CVSS score 9.4, in Analytics On-Prem and Global Management System (GMS) products.
Improper Neutralization of Special Elements used in an SQL Command leading to Unauthenticated SQL Injection vulnerability, impacting SonicWall GMS and Analytics On-Prem. – Sonicwall statement
SonicWall researchers pointed out that the likelihood of exploitation may be significantly reduced by incorporating Web Application Firewall that could detect and block SQLi attacks.
The vulnerability was discovered by H4lo & Catalpa of Hatlab DBappSecurity.
SonicWall said it was not aware of active exploitation in the wild or the public release of PoC exploit code targeting the bug.
Organizations using the affected GMS version to apply the patches immediately.