Security Advisory 2022-054

Release Date:

Critical SQL Injection Vulnerability



  • 25/07/2022 --- v1.0 -- Initial publication


On July 21st, 2022, SonicWall released security patches for their Analytics On-Prem and GMS products, addressing a critical SQL injection flaw [1,2]. Currently, no reports of a proof of concept (PoC) have been made public and there is no active exploitation in the wild.

Nevertheless, immediate update to the patched versions is recommended.

Technical Details

The vulnerability is being tracked as CVE-2022-22280, it has been rated as critical (CVSS 9.4) and it allows unauthenticated SQL injection due to an Improper Neutralization of Special Elements used in an SQL command, impacting SonicWall GMS and Analytics On-Prem [1,2].

Affected Products

The following product versions are affected from this flaw:

  • GMS 9.3.1-SP2-Hotfix-1 and earlier
  • Analytics and earlier


It is strongly recommended to update to the respective fixed versions:

  • GMS 9.3.1-SP2-Hotfix-2
  • Analytics

Additionally, SonicWall suggests that the likelihood of exploitation may be significantly reduced by incorporating a Web Application Firewall (WAF) to block SQL injection attempts.




We got cookies

We only use cookies that are necessary for the technical functioning of our website. Find out more on here.