{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4113", "assignerOrgId": "44b2ff79-1416-4492-88bb-ed0da00c7315", "state": "PUBLISHED", "assignerShortName": "sonicwall", "dateReserved": "2026-03-13T11:57:20.974Z", "datePublished": "2026-04-09T14:23:53.270Z", "dateUpdated": "2026-04-13T18:27:04.538Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "44b2ff79-1416-4492-88bb-ed0da00c7315", "shortName": "sonicwall", "dateUpdated": "2026-04-09T14:23:53.270Z"}, "datePublic": "2026-04-09T05:11:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-204", "description": "CWE-204 Observable response discrepancy", "type": "CWE"}]}], "affected": [{"vendor": "SonicWall", "product": "SMA1000", "platforms": ["Linux"], "versions": [{"status": "affected", "version": "12.4.3-03245 (platform-hotfix) and earlier versions."}, {"status": "affected", "version": "12.5.0-02283 (platform-hotfix) and earlier versions."}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "An observable response discrepancy vulnerability in the SonicWall SMA1000 series appliances allows a remote attacker to enumerate SSL VPN user credentials.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>An observable response discrepancy vulnerability in the SonicWall SMA1000 series appliances allows a remote attacker to enumerate SSL VPN user credentials.</p>"}]}], "references": [{"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2026-0003", "tags": ["vendor-advisory"]}], "source": {"advisory": "SNWLID-2026-0003", "discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T18:27:00.386461Z", "id": "CVE-2026-4113", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T18:27:04.538Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-4113", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-13T18:27:00.386461Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T18:26:55.843Z"}}], "cna": {"source": {"advisory": "SNWLID-2026-0003", "discovery": "EXTERNAL"}, "affected": [{"vendor": "SonicWall", "product": "SMA1000", "versions": [{"status": "affected", "version": "12.4.3-03245 (platform-hotfix) and earlier versions."}, {"status": "affected", "version": "12.5.0-02283 (platform-hotfix) and earlier versions."}], "platforms": ["Linux"], "defaultStatus": "unknown"}], "datePublic": "2026-04-09T05:11:00.000Z", "references": [{"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2026-0003", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "An observable response discrepancy vulnerability in the SonicWall SMA1000 series appliances allows a remote attacker to enumerate SSL VPN user credentials.", "supportingMedia": [{"type": "text/html", "value": "<p>An observable response discrepancy vulnerability in the SonicWall SMA1000 series appliances allows a remote attacker to enumerate SSL VPN user credentials.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-204", "description": "CWE-204 Observable response discrepancy"}]}], "providerMetadata": {"orgId": "44b2ff79-1416-4492-88bb-ed0da00c7315", "shortName": "sonicwall", "dateUpdated": "2026-04-09T14:23:53.270Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4113", "state": "PUBLISHED", "dateUpdated": "2026-04-13T18:27:04.538Z", "dateReserved": "2026-03-13T11:57:20.974Z", "assignerOrgId": "44b2ff79-1416-4492-88bb-ed0da00c7315", "datePublished": "2026-04-09T14:23:53.270Z", "assignerShortName": "sonicwall"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An observable response discrepancy vulnerability in the SonicWall SMA1000 series appliances allows a remote attacker to enumerate SSL VPN user credentials."}], "id": "CVE-2026-4113", "lastModified": "2026-04-13T19:16:52.533", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-09T15:16:13.683", "references": [{"source": "PSIRT@sonicwall.com", "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2026-0003"}], "sourceIdentifier": "PSIRT@sonicwall.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-204"}], "source": "PSIRT@sonicwall.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["linux"], "status": "affected", "versions": {"scheme": "generic", "value": "[0,12.4.3-03245 (platform-hotfix) and earlier versions.]"}}, {"platform": ["linux"], "status": "affected", "versions": {"scheme": "generic", "value": "[0,12.5.0-02283 (platform-hotfix) and earlier versions.]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "SMA1000", "source": "cna", "vendor": "SonicWall"}, "product": "sma1000", "vendor": "sonicwall"}], "analysis": {"en": {"generated_at": "2026-04-13T22:40:07.761924+00:00", "value": {"mitigation_remediation": ["Update the SonicWall SMA1000 firmware to the latest version that fixes the response\u2011discrepancy flaw.", "Restrict external access to the SSL VPN interface to trusted IP addresses or subnets if a patch is not yet available.", "Consider disabling the SSL VPN service when it is not required.", "Monitor VPN logs for repeated attempts to observe response discrepancies that may indicate enumeration attempts.", "Contact SonicWall support for any interim mitigation advice."], "summary": {"action": "Apply Patch", "impact": "Credential Enumeration"}, "threat_synthesis": {"affected_systems": "All models of the SonicWall SMA1000 series are affected; the advisory does not list specific firmware or model revisions, so any installed SMA1000 unit should be considered vulnerable until an official update is released.", "description_and_impact": "The vulnerability is an observable response discrepancy that allows attackers to determine valid SSL VPN usernames on a SonicWall SMA1000 appliance. It is a CWE-204 type flaw, where differences in the service\u2019s responses are used as a side\u2011channel to enumerate user credentials, potentially exposing sensitive login information and enabling further credential\u2011based attacks if passwords are weak.", "risk_and_exploitability": "The CVSS score of 7.2 places this issue in the high\u2011severity range, but the EPSS figure of less than 1% indicates that exploitation has not yet been observed or is rare. It is not listed in the CISA KEV catalog. Attackers are likely to use a remote, unauthenticated method that observes timing or content differences in server responses to enumerate usernames. If enumeration succeeds, valid usernames can be leveraged for further attacks, especially if passwords are weak or reused."}}}}, "created": "2026-04-10T08:53:36.967481+00:00", "updated": "2026-04-14T16:36:57.990840+00:00", "vendors": ["sonicwall", "sonicwall$PRODUCT$sma1000"]}