Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in the SonicOS SSLVPN authentication token generator that, in certain cases, can be predicted by an attacker potentially resulting in authentication bypass.
The authentication token generator in SonicOS SSLVPN uses a cryptographically weak PRNG algorithm (CWE-338), which does not provide sufficient entropy or unpredictability. An attacker, by knowing the algorithm used or observing previously generated tokens, can predict the values of subsequent tokens. This allows them to generate a valid authentication token without providing correct login credentials and gain unauthorized access to the resource protected by the VPN.
A remote, unauthenticated attacker can bypass the SonicOS SSLVPN authentication mechanism and gain unauthorized access to the VPN network, resulting in complete compromise of confidentiality, integrity, and availability of protected resources.
Patches available from the vendor should be applied in accordance with the references: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0003
SonicOS SSLVPN — versions indicated in vendor references (SonicWall PSIRT SNWLID-2025-0003)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H