Cybersecurity specialists reported the finding of several vulnerabilities in SonicWall’s Global VPN Client. According to the report, exploiting these failures would allow threat actors to take control of an affected system with relative ease.

Below are brief descriptions of the reported vulnerabilities in addition to their respective identification keys and scores according to the Common Vulnerability Scoring System (CVSS).

CVE-2020-5145: This failure exists because the application loads DLL libraries using an insecure method. Remote threat actors could place a specially designed .dll file on a remote SMB file share, trick the victim into opening a file associated with the vulnerable application, and execute arbitrary code on the target system.

This is a failure of high severity that received a score of 8.5/10 and its exploitation would allow to fully compromising the vulnerable system.

CVE-2020-5144: An unsafe search path issue would allow a local user to place a specially designed file on the system and execute arbitrary code with elevated privileges.

This is a low severity vulnerability that received a score of 7.7/10 on the CVSS scale.

These vulnerabilities reside in the following versions of SonicWall Global VPN: 4.0.0, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.3.0, 4.3.1, 4.3.2, 4.3 .3, 4.3.4, 4.4.0, 4.4.1, 4.4.2, 4.5.0, 4.5.1, 4.5.2, 4.6.0, 4.6.1, 4.6.2, 4.7.0, 4.7.1 , 4.7.2, 4.7.3, 4.8.0, 4.8.1, 4.8.2, 4.8.3, 4.8.4, 4.8.5, 4.8.6, 4.9.0, 4.9.1, 4.9.2, 4.9 .9 .0, 4.9.1, 4.9.2, 4.9 .9 .0 3, 4.9.4, 4.9.5, 4.9.6, 4.9.7, 4.9.8, 4.9.9, 4.9.10, 4.9.11, 4.9.12, 4.9.13, 4.9.14 , 4.10.0 , 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.4.0314.

Despite the risk of remote exploitation of CVE-2020-5145, cybersecurity experts have not detected attempts to actively exploit these failures. Patches to mitigate the risk of exploitation are now available; it is recommended to update as soon as possible.