#VU81297 Improper Authentication in NetExtender for Windows
Vulnerability identifier: #VU81297
Vulnerability risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-287
Exploitation vector: Local network
Exploit availability: No
Vulnerable software:
NetExtender for Windows
Client/Desktop applications /
Other client software
Vendor: SonicWall
Description
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in NetExtender Pre-Logon feature. A remote attacker on the local network can gain access to the host Windows operating system with SYSTEM level privileges.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
NetExtender for Windows: 10.2.0.300 - 10.2.336
External links
http://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0014
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
