CVE-2024-12805

High

Published: 09 January 2025

Published

09 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0108 77.9th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

A post-authentication format string vulnerability in SonicOS management allows a remote attacker to crash a firewall and potentially leads to code execution.

Security Summary

CVE-2024-12805 is a post-authentication format string vulnerability (CWE-134) in the SonicOS management interface of SonicWall firewalls. Published on January 9, 2025, it enables a remote attacker to crash the firewall and potentially achieve code execution. The issue carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability.

Exploitation requires high privileges (PR:H), targeting authenticated administrative users with network access to the management interface. An attacker can remotely trigger the format string flaw with low attack complexity and no user interaction, resulting in a denial-of-service condition by crashing the firewall. Successful exploitation may escalate to arbitrary code execution within the management component.

SonicWall has published details on the vulnerability, including mitigation guidance, in PSIRT advisory SNWLID-2025-0004 at https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0004.

Details

CWE(s): CWE-134

References

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0004
PSIRT@sonicwall.com